Solved: Re: Extracting users from a list

ryangillan · ‎10-18-2020

2020-10-19 05:00:03,744 INFO main() Deletion list: ['user1', 'user2', '$template', 'user233', 'svc_user1', ]

I have this log file that outputs a list of users to be deleted.
I want to search this output and extract the users into fields then exclude the $template* & svc_users* users.

I have tried this to extract the users to field.

search "list:" | eval del_users=split(_raw,"', '") | table del_users

output looks like:

2020-10-19 05:00:03,744 INFO main() Deletion list: ['user1

user2

$template

user233

svc_user1

Any suggestions to get a better output or how I should be doing this?

vnravikumar · ‎10-19-2020

Hi

Try this

| rex field=log max_match=0 "\[{0,}\'(?P<output>[^',]+)" 
| mvexpand output 
| table output

View solution in original post

ryangillan · ‎10-20-2020

This looks like what I need.

|search "list:" | rex field=log "\[(?<del_users>.*)\, \]" | eval users=split(_raw,"', '") | mvexpand users
|search NOT users IN ("$*templat*","svc*") | table users

vnravikumar · ‎10-19-2020

Hi

Try this

| rex field=log max_match=0 "\[{0,}\'(?P<output>[^',]+)" 
| mvexpand output 
| table output

inventsekar · ‎10-18-2020

did you check the "rex" regular expression...

| makeresults 
| eval log="2020-10-19 05:00:03,744 INFO main() Deletion list: ['user1', 'user2', '$template', 'user233', 'svc_user1', ]" 
| rex field=log "\[(?<del_users>.*)\, \]" 
| table del_users

EDIT - verified and adding the screenshot:

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

Extracting users from a list

eval

table

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation