Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction stanza help in props.conf?

pavanae
Builder
‎02-07-2020 11:34 AM

I have the username filed extraction as follows in the props.conf which extracts the username:-

[sourcetype_X]
EXTRACT-XYZ = username="(?<user>[^+\"]*)"

which extracts the field as follows 

x12345@abc-def-ghij-01.com
y67891@klm-def-ghij-01.com
z45787@abc-def-ghij-01.com
ABC-DEF

Now what would be regex stanza to extract the username as follows from the above

x12345
y67891
z45787
ABC-DEF
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2020 12:22 PM

Three things to do:

  • include the @ sign in your negated character class
  • remove the tailing double quote
  • replace the * with a + to avoid empty usernames

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2020 12:22 PM

Three things to do:

  • include the @ sign in your negated character class
  • remove the tailing double quote
  • replace the * with a + to avoid empty usernames
0 Karma
Reply
Solved! Jump to solution

pavanae
Builder
‎02-10-2020 08:09 AM

Thanks @martin_mueller could you provide me the new regex as mentioned above. I might have missing something.

0 Karma
Reply
Solved! Jump to solution

jethrop
Explorer
‎02-07-2020 11:51 AM

^(.+?)@ ie everything before the @ sign if that's a pattern

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...