Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

kris99
New Member
‎10-06-2014 05:12 PM

How do I use regex within search to remove the domain from the field "User name" and use the username only as named extraction.

domain\username

something like this i think but don't know who to write regex to extract username or extract everything after "\" from field "User name"

| rex field="User name" "" | eval UserName=lower(UserName) | where UserName=lower(UserName) | search UserName="*"

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2014 05:43 PM

Try this:

... | rex field="User name" "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...

If Splunk doesn't like a field name with a space in it, try this:

... | eval domainUsername="User name" | rex field=domainUsername "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2014 05:43 PM

Try this:

... | rex field="User name" "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...

If Splunk doesn't like a field name with a space in it, try this:

... | eval domainUsername="User name" | rex field=domainUsername "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2014 03:54 AM

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kris99
New Member
‎10-07-2014 07:29 PM

yes i did.

just so i learn how to write regex, if it was seperated by : what would i replace it with ?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-07-2014 07:48 PM

In the regex in the answer, the four backslashes are the separator between the domain and username. If the separator becomes ':' then the regex becomes "(?\S+):(?\S+)".

A good way to learn is through experimentation. Try regexr.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2014 07:36 PM

The escape character needs to be escaped. I've updated the answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kris99
New Member
‎10-06-2014 08:03 PM

works like a charm.. thank you !

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2014 07:24 PM

What do you get?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kris99
New Member
‎10-06-2014 07:26 PM

same error above

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2014 06:09 PM

The backslash needs to be escaped.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kris99
New Member
‎10-06-2014 06:33 PM

only using this.. no luck

rex field=domainUsername "(?<domain>\S+)\\(?<userName>\S+)"
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2014 05:59 PM

The parts between < and > define a Splunk field into which rex will extract matches. They're not placeholders. Change "domain-22" back to "domain" and it should work.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kris99
New Member
‎10-06-2014 06:06 PM

still getting same error. tried both options above

Error in 'rex' command: Encountered the following error while compiling the regex '(?<domain>\S+)\(?<userName>\S+)': Regex: unmatched parentheses
0 Karma
Reply
Solved! Jump to solution

kris99
New Member
‎10-06-2014 05:56 PM

getting an error as below. domain includes domain-22\username

Error in 'rex' command: Encountered the following error while compiling the regex '(?<domain-22>\S+)\(?<userName>\S+)': Regex: unmatched parentheses
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2014 05:32 PM

Just what? If there's a character between the quotation marks, it's not showing up. Escape the character or use backtics.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kris99
New Member
‎10-06-2014 05:34 PM

editor is removing backward slash

0 Karma
Reply
Solved! Jump to solution

kris99
New Member
‎10-06-2014 05:36 PM 
 domain\username
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-06-2014 05:22 PM

What separates domain from username? Please share a sample of your data.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

kris99
New Member
‎10-06-2014 05:29 PM

just "\"

"User name"=domain\username

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...