Error extracting username when using the | rex fie...

cantrellr · ‎10-23-2020

I have a user field where the name may or may not be prefixed with DOMAIN\ as shown below:

DOMAIN\CWIX-USER-SC-4
a.roset.nor
b.cwix.usa
DOMAIN\b-cwix-usa
b.mccartney.pld
c.merri.bel

I used regex.com PCRE (PHP) to craft the following expression:

(\S+\\)?(?P<username>[(\S+|\S+)]+)

However, when I use that expression in my search query, I'm getting the following error:

Error in 'rex' command: Encountered the following error while compiling the regex '((\S+\)?(?P<username>[(\S+|\S+)]+))': Regex: missing closing parenthesis.

Here is the line in the search query:

| rex field=user "((\S+\\)?(?P<username>[(\S+|\S+)]+))"

I have used the rex field statement many times in previous searches so I'm kind of lost at what is going on here. It's been a long week crafting dashboards and an extra set of eyes would be appreciated.

cantrellr · ‎10-26-2020

Unfortunately, your suggested rex did not produce any results. I ended up using the mvindex(split(field, "\\"), -1) statement instead. Thanks for your help.

kennetkline · ‎10-23-2020

Took me a minute; I posted it wrong the first time
this works;

if forgot to match "^" (basically \ OR ^ begins with)

| rex field=user "(\w+\\|^)(?<username>.*)"

https://regex101.com/ (saves my bacon)

Error extracting username when using the | rex field= statement

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

Join the Conversation