Re: Regex Help!

NShimmen · ‎04-26-2018

Hi!

First time I am attempting Regex commands and I have got pretty stuck so any help would be much appreciated. I have a string data that appears in a table as "Network User::(FirstName).(Surname)".

How could I use the regex command to get rid of Network User and just display the first and second name in the results table?

So my search would be something like:

...| stats count by user|regex......| table user, count

Thanks!

p_gurav · ‎04-26-2018

Can you try something:

...| stats count by user| rex field=user mode=sed "s/Network User::*//g" | table user, count

TISKAR · ‎04-26-2018

Hello,
Try this:

.| stats count by user | rex field=a "::\((?<FirstName>[^.)]*)\)\.\((?<Surname>[^.)]*)"

For Example:

| makeresults |eval a= "Network User::(FirstName).(Surname)" | rex field=a "::\((?<FirstName>[^.)]*)\)\.\((?<Surname>[^.)]*)"

damien_chillet · ‎04-26-2018

An example of regex extraction that would work with the example string you provided:

| rex field=user "::\((?P<first_name>[^\)]+)\)\.\((?P<surname>[^\)]+)\)"

David_Naylor · ‎04-26-2018

Try to get those field extractions done. You can do it inline with the following
|rex "Network\sUser::(?P\w+)).((?P\w+)) | table FirstName,Surname,count

Regex Help!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation