Splunk Search

How to use rex to remove the domain from the "User name" field and use the username only as a named extraction?

New Member

How do I use regex within search to remove the domain from the field "User name" and use the username only as named extraction.

domain\username

something like this i think but don't know who to write regex to extract username or extract everything after "\" from field "User name"

| rex field="User name" "" | eval UserName=lower(UserName) | where UserName=lower(UserName) | search UserName="*"

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this:

... | rex field="User name" "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...

If Splunk doesn't like a field name with a space in it, try this:

... | eval domainUsername="User name" | rex field=domainUsername "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

Try this:

... | rex field="User name" "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...

If Splunk doesn't like a field name with a space in it, try this:

... | eval domainUsername="User name" | rex field=domainUsername "(?<domain>\S+)\\\\(?<userName>\S+)" | eval userName=lower(userName) | ...
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

SplunkTrust
SplunkTrust

Please accept the answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

yes i did.

just so i learn how to write regex, if it was seperated by : what would i replace it with ?

0 Karma

SplunkTrust
SplunkTrust

In the regex in the answer, the four backslashes are the separator between the domain and username. If the separator becomes ':' then the regex becomes "(?\S+):(?\S+)".

A good way to learn is through experimentation. Try regexr.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

SplunkTrust
SplunkTrust

The escape character needs to be escaped. I've updated the answer.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

works like a charm.. thank you !

0 Karma

SplunkTrust
SplunkTrust

What do you get?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

same error above

0 Karma

SplunkTrust
SplunkTrust

The backslash needs to be escaped.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

only using this.. no luck

rex field=domainUsername "(?<domain>\S+)\\(?<userName>\S+)" 
0 Karma

SplunkTrust
SplunkTrust

The parts between < and > define a Splunk field into which rex will extract matches. They're not placeholders. Change "domain-22" back to "domain" and it should work.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

still getting same error. tried both options above

Error in 'rex' command: Encountered the following error while compiling the regex '(?<domain>\S+)\(?<userName>\S+)': Regex: unmatched parentheses 
0 Karma

New Member

getting an error as below. domain includes domain-22\username

Error in 'rex' command: Encountered the following error while compiling the regex '(?<domain-22>\S+)\(?<userName>\S+)': Regex: unmatched parentheses 
0 Karma

SplunkTrust
SplunkTrust

Just what? If there's a character between the quotation marks, it's not showing up. Escape the character or use backtics.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

editor is removing backward slash

0 Karma

New Member
 domain\username
0 Karma

SplunkTrust
SplunkTrust

What separates domain from username? Please share a sample of your data.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

just "\"

"User name"=domain\username

0 Karma