Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write regex to extract one capture group for user ID?

kmcconnell
Path Finder
‎09-16-2014 05:17 AM

I have a regex question that I hope will be easy for someone. I’m not big on regexes so I’m coming to you all for help. I have events where the user account is coming in by itself (xyz123) and sometimes with the domain (domain\xyz123), see below. I was able to just pull out the user IDs with a regex, but it had two capture groups instead of just one [U|u]ser\s(?:[\w\.]+\\(\w+)|([\w]+))\s. I’d like to have one capture group that only has the user ID.

[MsgID: 2]The user domain\xyz123 with source IP address

[MsgID: 2]The user xyz123 with source IP address
Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-16-2014 05:28 AM

Try this:

[uU]ser\s(?:[\w.]+\\)?(?<user>\w+)\s

...provided I correctly understand your problem 🙂

View solution in original post

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-16-2014 05:30 AM

Hi kmcconnel,

assuming your ID's are always 6 alphanumeric values and are always before with in the events, try this regex:

(?<myUserID>\w{6})(?=\swith)

hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎09-16-2014 05:28 AM

Try this:

[uU]ser\s(?:[\w.]+\\)?(?<user>\w+)\s

...provided I correctly understand your problem 🙂

Reply
Solved! Jump to solution

kmcconnell
Path Finder
‎09-17-2014 10:41 AM

I tried both approaches and they both work, but the answer from martin_mueller was what I had been working toward. Thank you both for the help.

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-16-2014 03:17 PM

This works fine after added additional backslash after [\w.]+

Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎09-16-2014 05:31 AM

HeHe, too slow again....

Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

Ready to master Kubernetes and cloud monitoring like the pros?Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...