How do I use regex within search to remove the domain from the field "User name" and use the username only as named extraction.
domain\username
something like this i think but don't know who to write regex to extract username or extract everything after "\" from field "User name"
| rex field="User name" "" | eval UserName=lower(UserName) | where UserName=lower(UserName) | search UserName="*"
Try this:
... | rex field="User name" "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...
If Splunk doesn't like a field name with a space in it, try this:
... | eval domainUsername="User name" | rex field=domainUsername "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...
Try this:
... | rex field="User name" "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...
If Splunk doesn't like a field name with a space in it, try this:
... | eval domainUsername="User name" | rex field=domainUsername "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...
Please accept the answer.
yes i did.
just so i learn how to write regex, if it was seperated by :
what would i replace it with ?
In the regex in the answer, the four backslashes are the separator between the domain and username. If the separator becomes ':' then the regex becomes "(?\S+):(?\S+)"
.
A good way to learn is through experimentation. Try regexr.
The escape character needs to be escaped. I've updated the answer.
works like a charm.. thank you !
What do you get?
same error above
The backslash needs to be escaped.
only using this.. no luck
rex field=domainUsername "(?<domain>\S+)\\(?<userName>\S+)"
The parts between <
and >
define a Splunk field into which rex will extract matches. They're not placeholders. Change "domain-22" back to "domain" and it should work.
still getting same error. tried both options above
Error in 'rex' command: Encountered the following error while compiling the regex '(?<domain>\S+)\(?<userName>\S+)': Regex: unmatched parentheses
getting an error as below. domain includes domain-22\username
Error in 'rex' command: Encountered the following error while compiling the regex '(?<domain-22>\S+)\(?<userName>\S+)': Regex: unmatched parentheses
Just what? If there's a character between the quotation marks, it's not showing up. Escape the character or use backtics.
editor is removing backward slash
domain\username
What separates domain from username? Please share a sample of your data.
just "\"
"User name"=domain\username