Splunk Search

How to write the regex for field extraction or rex of a username in my sample data?



I have been banging my head against the wall most of the morning on this. I am trying to create a field extraction or runtime rex to pull out the username from this raw text:

Jan 22 19:48:00 %ASA-6-302016: Teardown UDP connection 152169465 for outside: to outside: duration 0:02:03 bytes 150 (mickey_mouse)

obviously the username is mickey mouse in my example - but I cannot extract without the parentheses and can't get rex going at all.

Can someone with more regex knowledge lend me a hand?

Thanks so much,


0 Karma
1 Solution

Splunk Employee
Splunk Employee
| rex "\((?<username>[\w_]+)\)$"

where [\w_] contains all potential characters used in usernames.

Check out this tool: https://regex101.com/#pcre
It makes testing regular expressions easy

View solution in original post


Maybe something like this, as long as the only parens are the ones around the username?

rex "\((?<username>[^\)]*)\)"
0 Karma

Splunk Employee
Splunk Employee
| rex "\((?<username>[\w_]+)\)$"

where [\w_] contains all potential characters used in usernames.

Check out this tool: https://regex101.com/#pcre
It makes testing regular expressions easy


Just so I fully understand, \w will match letters and numbers? the following underscore necessitates and underscore the the + says keep going but what part of this excludes the opening and closing parentheses?


BTW, this worked!

0 Karma

Splunk Employee
Splunk Employee

The \w metacharacter is used to find a word character. A word character is a character from a-z, A-Z, 0-9, including the _ (underscore) character.

So actually, adding the underscore was redundant. Basically anything in the brackets [ ] is the set of symbols allowed. The plus says one or more.

When we put a backslash before the first parenthesis, we tell the regex engine to treat the parenthesis as a literal parenthesis. It is called 'escaping' the character. So if you wanted to match a literal plus, you'd need type \+, otherwise it will be interpreted as a metacharacter.

So in the beginning, we say \( for the first parenthesis, a literal
Then we open a capture group with parenthesis and name the field (? username
Specify our possible letters with [\w]
Specify we want more than 0 with +
Close the capture group with the parenthesis )
Then we once again say we want to match (not capture) a literal parenthesis with \)
Lastly, we say it needs to be at the very end of the line with a $

Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...