Solved: Re: How to extract username from my data?

thambisetty_bal · ‎02-02-2017

Hi Splunkers,

I have been struggling to extract user name from below values of user.

user
--------
user1@sa.com
sab\user2
user3

OUTPUT
------------
user1
user2
user3

kindly help me out..

somesoni2 · ‎02-02-2017

Give this a try. (Runanywhere sample search, first line is just to generate sample data).

| gentimes start=-1 | eval user="user1@sa.com sab\user2 user3" | table user | makemv user | mvexpand user 
| rex field=user "(?<cleanedUser>\w+)(\@|$)"

View solution in original post

somesoni2 · ‎02-02-2017

Give this a try. (Runanywhere sample search, first line is just to generate sample data).

| gentimes start=-1 | eval user="user1@sa.com sab\user2 user3" | table user | makemv user | mvexpand user 
| rex field=user "(?<cleanedUser>\w+)(\@|$)"

thambisetty_bal · ‎02-02-2017

you are amazing @somesoni2

please explain regex Sir.

somesoni2 · ‎02-02-2017

It's capturing a full work (\w+) till you encounter a @ symbol or end of value ($). backward slash is word terminator so it works for 2nd example value as well.

How to extract username from my data?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation