I want to start after the \ and collect the user name but the user name is in delimited format (.)
field name = UserName
example of a field value
BDDLOX3855\john.doe
Would it be possible to replace the . with a space after using my regex request?
Try like this
your current search with field UserName
| eval UserName=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","\2 \3")
Runanywhere sample search:
| gentimes start=-1 | eval UserName="DDFDF\john.doe" | table UserName | eval UserName1=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","\2 \3")
Try like this
your current search with field UserName
| eval UserName=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","\2 \3")
Runanywhere sample search:
| gentimes start=-1 | eval UserName="DDFDF\john.doe" | table UserName | eval UserName1=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","\2 \3")
Thank you @somesoni2! Can you please walk me through the regex you used as I'm trying to learn
The regex used in replace command (2nd argument) is creating capturing group of each of the segment of the value of field UserName. E.g.
BDDLOX3855\john.doe
{segment1}\{segment2}.{segment3}.
Then, in the 3rd argument of replace command, we're displaying the captured segments as per our need (dropping segment1 and adding a space between segment2 and segment3). You can playaround with runanywhere search to get feel of the replace command.
| gentimes start=-1 | eval UserName="DDFDF\john.doe" | table UserName | eval UserName1=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","seg1: \1, seg2: \2, seg3: \3")
assuming your line is BDDLOX3855\john.doe value (format is domain\username
The following reg should work
"^(?P<testDomain>[^\\\]+)\\\(?P<testFirstname>[a-z^\.]+)\.(?P<testLastname>[a-z^\s]+)\s"
Note, I have also split the username to firstname and lastname. This should give you more flexibility
I wasn't able to get this to work, I'm really trying to grasp using regex so if would you mind explaining the regex you use to help me better understand how to write it myself? I'm also not really interested in creating new fields for first name and another for last name. It was mostly a would be nice if possible, to replace the . with a space show my output for UserName showed first name last name
hi john,
dissecting the regex ... it is {from beginning of line}{extract the first token}{delimiter of backslash}{extract the 2nd token which is testFirstname}{delimiter of dot}{extract the 3rd token which is testLastname}{delimiter of space}
Details
1. (?Pregular pattern here) is the format to extract a field
understand the regular expression [] syntax
e.g. [a-z]+ means any characters (one or more) that is from "a" to "z"
[A-Z]+means any characters (one or more) that is from "A" to "Z"
[0-9]+ means any numeric characters
the escape sequence in regex which is the "\".
note \s means space
^ has double meaning - beginning of the line or if it is inside [], then it means any character that is NOT the next character.
e.g [^\] means any character that is not your backslash
[^.] means any character that is not a dot
[^\s] means any character that is not a space
To make it easy, you can use the field extraction wizard from Splunk web but I found the generated regex inflexible and can't handle all the cases. I normally have to tweak the generated regex .
Hope this helps.
try this
your search | eval UserName= replace(UserName,".",". ")
This eval replaced the field data with .............. only and didn't cut the domain\ leaving just the user name as I'm looking to do