Solved: Re: How to use rex to remove the domain from the "...

kris99 · ‎10-06-2014

How do I use regex within search to remove the domain from the field "User name" and use the username only as named extraction.

domain\username

something like this i think but don't know who to write regex to extract username or extract everything after "\" from field "User name"

| rex field="User name" "" | eval UserName=lower(UserName) | where UserName=lower(UserName) | search UserName="*"

richgalloway · ‎10-06-2014

Try this:

... | rex field="User name" "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...

If Splunk doesn't like a field name with a space in it, try this:

... | eval domainUsername="User name" | rex field=domainUsername "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎10-06-2014

Try this:

... | rex field="User name" "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...

If Splunk doesn't like a field name with a space in it, try this:

... | eval domainUsername="User name" | rex field=domainUsername "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎10-07-2014

Please accept the answer.

---
If this reply helps you, Karma would be appreciated.

kris99 · ‎10-07-2014

yes i did.

just so i learn how to write regex, if it was seperated by : what would i replace it with ?

richgalloway · ‎10-07-2014

In the regex in the answer, the four backslashes are the separator between the domain and username. If the separator becomes ':' then the regex becomes "(?\S+):(?\S+)".

A good way to learn is through experimentation. Try regexr.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎10-06-2014

The escape character needs to be escaped. I've updated the answer.

---
If this reply helps you, Karma would be appreciated.

kris99 · ‎10-06-2014

works like a charm.. thank you !

richgalloway · ‎10-06-2014

What do you get?

---
If this reply helps you, Karma would be appreciated.

kris99 · ‎10-06-2014

same error above

richgalloway · ‎10-06-2014

The backslash needs to be escaped.

---
If this reply helps you, Karma would be appreciated.

kris99 · ‎10-06-2014

only using this.. no luck

rex field=domainUsername "(?<domain>\S+)\\(?<userName>\S+)"

richgalloway · ‎10-06-2014

The parts between < and > define a Splunk field into which rex will extract matches. They're not placeholders. Change "domain-22" back to "domain" and it should work.

---
If this reply helps you, Karma would be appreciated.

kris99 · ‎10-06-2014

still getting same error. tried both options above

Error in 'rex' command: Encountered the following error while compiling the regex '(?<domain>\S+)\(?<userName>\S+)': Regex: unmatched parentheses

kris99 · ‎10-06-2014

getting an error as below. domain includes domain-22\username

Error in 'rex' command: Encountered the following error while compiling the regex '(?<domain-22>\S+)\(?<userName>\S+)': Regex: unmatched parentheses

richgalloway · ‎10-06-2014

Just what? If there's a character between the quotation marks, it's not showing up. Escape the character or use backtics.

---
If this reply helps you, Karma would be appreciated.

kris99 · ‎10-06-2014

editor is removing backward slash

kris99 · ‎10-06-2014

 domain\username

richgalloway · ‎10-06-2014

What separates domain from username? Please share a sample of your data.

---
If this reply helps you, Karma would be appreciated.

kris99 · ‎10-06-2014

just "\"

"User name"=domain\username

How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life