Solved: How do you create a regex expression which creates...

synking · ‎10-22-2018

Hey,

i need assistance in trying to figure out how to create a field and extract the text after that. I am not sure how to go about doing this. i have looked in the documentation and on here for questions that are similar, but nothing i try seems to work. Basically, in the logs I am searching, there is a string:

SERVERNAME\USERNAME

I want to create a field called username from the above entry. There is always a space after and before those two words and always the backslash. Here is what i have so far:

rex field=_raw "SERVERNAME\\:\s+(?<USERNAME>[^\s]+)"

But, I am not sure what i am doing wrong. Any help is gladly accepted. Thanks.

493669 · ‎10-22-2018

@synking, try this:

|rex "SERVERNAME\s\\\s(?<username>[^\s]+)"

View solution in original post

493669 · ‎10-22-2018

@synking, try this:

|rex "SERVERNAME\s\\\s(?<username>[^\s]+)"

synking · ‎10-22-2018

Wait nvm it worked I was just putting it in the wrong field.

synking · ‎10-22-2018

Thanks but even when i try that it does not seem to work. I get the search to complete but it shows everything in every log.

How do you create a regex expression which creates a field and returns text after a backslash?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!