Re: Extracting a username from logs files using Re...

ifsuser · ‎04-04-2012

Hi im trying to extract domain usernames from my juniper log files using regex however depending on the log message the fully qualified domain name isnt always displayed

See example below:

line 1:      juniper -ive -] domain/user1(realm) etc. etc.
Line2:       juniper -ive -] user2(realm) etc. etc.

i would like to extract just the username into a group so i'm trying to exclude the word "DOMAIN/" so far i have this:

]\s(?!DOMAIN\/\b)([a-z_0-9]+)

however it only seems to capture user2

Thanks,

ifsuser · ‎04-05-2012

Hi guys, neither of them worked, in the end i used this:

]\s(?:DOMAIN\*)?(.\w+)

but thanks anyways

cvajs · ‎04-05-2012

pls escape backslashes with a \ otherwise we readers see confusing stuff because this forum takes a single \ as a special char. a real pita imho.

RicoSuave · ‎04-05-2012

That's odd. I tested it and it works. But, if your regex is now working, that's all that matters. Cheers!

RicoSuave · ‎04-04-2012

This should work too:

-]\s((?<domain>\w+)/)?(?<user>\w+)

🙂

ziegfried · ‎04-04-2012

this one might work:

ive\s+-\]\s+((?<domain>\w+)/)?(?<user>\w+)\((?<realm>\w+)\)

cvajs · ‎04-04-2012

does it support negative/positive lookahead and lookbehind?
your (?!) is a negative lookahead, you need a positive lookbehind if using "domain/"

maybe this
([A-Za-z]{1,10}([0-9]{1,5})?)(?=\()|(?<=/)([A-Za-z]{1,10}([0-9]{1,5})?)
or
([A-Za-z]{1,10}(\d+)?)(?=\()|(?<=/)([A-Za-z]{1,10}(\d+)?)

but a single pos lookahead should suffice
([A-Za-z]{1,10}(\d+)?)(?=\(realm\))

Extracting a username from logs files using Regex

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...