Splunk Search

How to edit my regex to remove all text before an optional character?

goodsellt
Contributor

I'm attempting to us rex or a similar function that will be able to help me remove the domain identifier from a username from a list of events where that may not always be present.

The usernames in a list can appear like:
MA\user2
JP\user5
user6
far\user4

The closest thing I've got is: (^[^\\\\]+\\\\)?(?P\w+)

However, that isn't working correctly as I'm getting the MA, JP, etc in my field instead of the text afterward for those which have those identifiers.

Could someone help identify what I may have done wrong? I've been using regexpal.com to do some testing, but on that site, it appears what I'm doing is correct.

0 Karma
1 Solution

javiergn
Super Champion

Try the following regex instead:

 rex field=yourfield "(?<username>\w+)$"

If your username is likely to contain hyphens or any other special characters not covered by \w+ you might be better off using the following instead:

| rex "(?<username>[^\\\]+)$"

EDIT to indicate this is now tested

View solution in original post

somesoni2
Revered Legend

Try like this

| gentimes start=-1 | eval username="MA\user2 JP\user5 user6 far\user4" | table username |  eval username=replace(username, "\w+(\\\\)+","") 
0 Karma

goodsellt
Contributor

I'd also like to mention this workout out pretty well as well, though in some strange cases it was blanking out the entire username.

0 Karma

javiergn
Super Champion

Try the following regex instead:

 rex field=yourfield "(?<username>\w+)$"

If your username is likely to contain hyphens or any other special characters not covered by \w+ you might be better off using the following instead:

| rex "(?<username>[^\\\]+)$"

EDIT to indicate this is now tested

goodsellt
Contributor

That second regex worked out perfectly for our situation.

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...