Splunk Search

Error extracting username when using the | rex field= statement

cantrellr
New Member

I have a user field where the name may or may not be prefixed with DOMAIN\ as shown below:

DOMAIN\CWIX-USER-SC-4
a.roset.nor
b.cwix.usa
DOMAIN\b-cwix-usa
b.mccartney.pld
c.merri.bel

I used regex.com PCRE (PHP) to craft the following expression:

(\S+\\)?(?P<username>[(\S+|\S+)]+)

However, when I use that expression in my search query, I'm getting the following error:

Error in 'rex' command: Encountered the following error while compiling the regex '((\S+\)?(?P<username>[(\S+|\S+)]+))': Regex: missing closing parenthesis.

Here is the line in the search query:

| rex field=user "((\S+\\)?(?P<username>[(\S+|\S+)]+))"

I have used the rex field statement many times in previous searches so I'm kind of lost at what is going on here. It's been a long week crafting dashboards and an extra set of eyes would be appreciated.

 

Labels (2)
0 Karma

cantrellr
New Member

Unfortunately, your suggested rex did not produce any results. I ended up using the mvindex(split(field, "\\"), -1) statement instead. Thanks for your help.

0 Karma

kennetkline
Path Finder

Took me a minute;  I posted it wrong the first time
this works;    

if forgot to match "^"  (basically  \ OR ^ begins with)  

 

| rex field=user "(\w+\\|^)(?<username>.*)"

 


https://regex101.com/  (saves my bacon)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...