Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my regex to remove all text before an optional character?

goodsellt
Contributor
‎05-19-2016 02:00 PM

I'm attempting to us rex or a similar function that will be able to help me remove the domain identifier from a username from a list of events where that may not always be present.

The usernames in a list can appear like:
MA\user2
JP\user5
user6
far\user4

The closest thing I've got is: (^[^\\\\]+\\\\)?(?P\w+)

However, that isn't working correctly as I'm getting the MA, JP, etc in my field instead of the text afterward for those which have those identifiers.

Could someone help identify what I may have done wrong? I've been using regexpal.com to do some testing, but on that site, it appears what I'm doing is correct.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎05-19-2016 02:14 PM

Try the following regex instead:

 rex field=yourfield "(?<username>\w+)$"

If your username is likely to contain hyphens or any other special characters not covered by \w+ you might be better off using the following instead:

| rex "(?<username>[^\\\]+)$"

EDIT to indicate this is now tested

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-19-2016 02:21 PM

Try like this

| gentimes start=-1 | eval username="MA\user2 JP\user5 user6 far\user4" | table username |  eval username=replace(username, "\w+(\\\\)+","")
0 Karma
Reply
Solved! Jump to solution

goodsellt
Contributor
‎05-20-2016 07:58 AM

I'd also like to mention this workout out pretty well as well, though in some strange cases it was blanking out the entire username.

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎05-19-2016 02:14 PM

Try the following regex instead:

 rex field=yourfield "(?<username>\w+)$"

If your username is likely to contain hyphens or any other special characters not covered by \w+ you might be better off using the following instead:

| rex "(?<username>[^\\\]+)$"

EDIT to indicate this is now tested

Reply
Solved! Jump to solution

goodsellt
Contributor
‎05-20-2016 07:57 AM

That second regex worked out perfectly for our situation.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...