I have a user field where the name may or may not be prefixed with DOMAIN\ as shown below:
DOMAIN\CWIX-USER-SC-4
a.roset.nor
b.cwix.usa
DOMAIN\b-cwix-usa
b.mccartney.pld
c.merri.bel
I used regex.com PCRE (PHP) to craft the following expression:
(\S+\\)?(?P<username>[(\S+|\S+)]+)
However, when I use that expression in my search query, I'm getting the following error:
Error in 'rex' command: Encountered the following error while compiling the regex '((\S+\)?(?P<username>[(\S+|\S+)]+))': Regex: missing closing parenthesis.
Here is the line in the search query:
| rex field=user "((\S+\\)?(?P<username>[(\S+|\S+)]+))"
I have used the rex field statement many times in previous searches so I'm kind of lost at what is going on here. It's been a long week crafting dashboards and an extra set of eyes would be appreciated.
Unfortunately, your suggested rex did not produce any results. I ended up using the mvindex(split(field, "\\"), -1) statement instead. Thanks for your help.
Took me a minute; I posted it wrong the first time
this works;
if forgot to match "^" (basically \ OR ^ begins with)
| rex field=user "(\w+\\|^)(?<username>.*)"
https://regex101.com/ (saves my bacon)