Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my regex to remove all text before an optional character?

goodsellt
Contributor
‎05-19-2016 02:00 PM

I'm attempting to us rex or a similar function that will be able to help me remove the domain identifier from a username from a list of events where that may not always be present.

The usernames in a list can appear like:
MA\user2
JP\user5
user6
far\user4

The closest thing I've got is: (^[^\\\\]+\\\\)?(?P\w+)

However, that isn't working correctly as I'm getting the MA, JP, etc in my field instead of the text afterward for those which have those identifiers.

Could someone help identify what I may have done wrong? I've been using regexpal.com to do some testing, but on that site, it appears what I'm doing is correct.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎05-19-2016 02:14 PM

Try the following regex instead:

 rex field=yourfield "(?<username>\w+)$"

If your username is likely to contain hyphens or any other special characters not covered by \w+ you might be better off using the following instead:

| rex "(?<username>[^\\\]+)$"

EDIT to indicate this is now tested

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-19-2016 02:21 PM

Try like this

| gentimes start=-1 | eval username="MA\user2 JP\user5 user6 far\user4" | table username |  eval username=replace(username, "\w+(\\\\)+","")
0 Karma
Reply
Solved! Jump to solution

goodsellt
Contributor
‎05-20-2016 07:58 AM

I'd also like to mention this workout out pretty well as well, though in some strange cases it was blanking out the entire username.

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎05-19-2016 02:14 PM

Try the following regex instead:

 rex field=yourfield "(?<username>\w+)$"

If your username is likely to contain hyphens or any other special characters not covered by \w+ you might be better off using the following instead:

| rex "(?<username>[^\\\]+)$"

EDIT to indicate this is now tested

Reply
Solved! Jump to solution

goodsellt
Contributor
‎05-20-2016 07:57 AM

That second regex worked out perfectly for our situation.

0 Karma
Reply
Get Updates on the Splunk Community!

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...