Splunk Search

Any regex masters out there?

Builder

Working on a regex for a script log. Need to pull out user:

User accounts for \\
-------------------------------------------------------------------------------
Administrator            Guest                    SMSNomadP2P&            
The command completed with one or more errors.

Would work for the first account but wont grab the rest

-\s(?<field1>\S+)

Any ideas?
Thanks in advance!

Tags (2)
0 Karma
1 Solution

Esteemed Legend

That was pretty tough; try this:

(?ms)(?<=[\r\n]|\s{2})(?<field1>[^\r\n\s\-]+)(?=.*[\r\n])

This captures every username, regardless of how many appear, as a multi-valued field.

View solution in original post

Esteemed Legend

That was pretty tough; try this:

(?ms)(?<=[\r\n]|\s{2})(?<field1>[^\r\n\s\-]+)(?=.*[\r\n])

This captures every username, regardless of how many appear, as a multi-valued field.

View solution in original post

Builder

@woodcock Nice work man, I banged my head on this one for a while before posting here and quite a while after.
+1000 points for that work man, I appreciate it greatly

0 Karma

Builder

btw threw that in a transform and added mv_add = true then updated props......good to go
Thanks again

0 Karma

Splunk Employee
Splunk Employee

Awesome. Another thing to consider: If you use this in a rex command, you might need to set the max_match parameter to something other than 1.

0 Karma

SplunkTrust
SplunkTrust

Once you remove that hyphen off the front, that regex matches each of them, according to regex101.com. Your regex depends on there being a whitespace character immediately before the value you are trying to pull. Check to validate that there is one. Can you show us what the entire line of data looks like?

0 Karma

Builder

That IS the entire log, nothing more to show. If you remove the hypen it matches much more than the account names according to regex101.com, I used the hypen to match the beginning.

0 Karma

SplunkTrust
SplunkTrust

ah, so it's a single multi-line returned value, and you only want the line immediately after the line of hyphens. Got it.

0 Karma

SplunkTrust
SplunkTrust

What values you wan to capture, Administrator, Guest, SMSNomadP2P& or all?

0 Karma

Builder

yes just the user names

0 Karma