Splunk Search

How to edit my regex to remove all text before an optional character?

goodsellt
Contributor

I'm attempting to us rex or a similar function that will be able to help me remove the domain identifier from a username from a list of events where that may not always be present.

The usernames in a list can appear like:
MA\user2
JP\user5
user6
far\user4

The closest thing I've got is: (^[^\\\\]+\\\\)?(?P\w+)

However, that isn't working correctly as I'm getting the MA, JP, etc in my field instead of the text afterward for those which have those identifiers.

Could someone help identify what I may have done wrong? I've been using regexpal.com to do some testing, but on that site, it appears what I'm doing is correct.

0 Karma
1 Solution

javiergn
Super Champion

Try the following regex instead:

 rex field=yourfield "(?<username>\w+)$"

If your username is likely to contain hyphens or any other special characters not covered by \w+ you might be better off using the following instead:

| rex "(?<username>[^\\\]+)$"

EDIT to indicate this is now tested

View solution in original post

somesoni2
Revered Legend

Try like this

| gentimes start=-1 | eval username="MA\user2 JP\user5 user6 far\user4" | table username |  eval username=replace(username, "\w+(\\\\)+","") 
0 Karma

goodsellt
Contributor

I'd also like to mention this workout out pretty well as well, though in some strange cases it was blanking out the entire username.

0 Karma

javiergn
Super Champion

Try the following regex instead:

 rex field=yourfield "(?<username>\w+)$"

If your username is likely to contain hyphens or any other special characters not covered by \w+ you might be better off using the following instead:

| rex "(?<username>[^\\\]+)$"

EDIT to indicate this is now tested

goodsellt
Contributor

That second regex worked out perfectly for our situation.

0 Karma
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...