Re: Regex Help!

NShimmen · ‎04-26-2018

Hi!

First time I am attempting Regex commands and I have got pretty stuck so any help would be much appreciated. I have a string data that appears in a table as "Network User::(FirstName).(Surname)".

How could I use the regex command to get rid of Network User and just display the first and second name in the results table?

So my search would be something like:

...| stats count by user|regex......| table user, count

Thanks!

p_gurav · ‎04-26-2018

Can you try something:

...| stats count by user| rex field=user mode=sed "s/Network User::*//g" | table user, count

TISKAR · ‎04-26-2018

Hello,
Try this:

.| stats count by user | rex field=a "::\((?<FirstName>[^.)]*)\)\.\((?<Surname>[^.)]*)"

For Example:

| makeresults |eval a= "Network User::(FirstName).(Surname)" | rex field=a "::\((?<FirstName>[^.)]*)\)\.\((?<Surname>[^.)]*)"

damien_chillet · ‎04-26-2018

An example of regex extraction that would work with the example string you provided:

| rex field=user "::\((?P<first_name>[^\)]+)\)\.\((?P<surname>[^\)]+)\)"

David_Naylor · ‎04-26-2018

Try to get those field extractions done. You can do it inline with the following
|rex "Network\sUser::(?P\w+)).((?P\w+)) | table FirstName,Surname,count

Regex Help!

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!