Splunk Search

Regex help! Want to start after the \ and collect the user name that follows

johnward4
Communicator

I want to start after the \ and collect the user name but the user name is in delimited format (.)

field name = UserName

example of a field value

BDDLOX3855\john.doe

Would it be possible to replace the . with a space after using my regex request?

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

your current search with field UserName
| eval UserName=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","\2 \3")

Runanywhere sample search:

| gentimes start=-1 | eval UserName="DDFDF\john.doe" | table UserName | eval UserName1=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","\2 \3")

View solution in original post

somesoni2
Revered Legend

Try like this

your current search with field UserName
| eval UserName=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","\2 \3")

Runanywhere sample search:

| gentimes start=-1 | eval UserName="DDFDF\john.doe" | table UserName | eval UserName1=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","\2 \3")

johnward4
Communicator

Thank you @somesoni2! Can you please walk me through the regex you used as I'm trying to learn

0 Karma

somesoni2
Revered Legend

The regex used in replace command (2nd argument) is creating capturing group of each of the segment of the value of field UserName. E.g.

BDDLOX3855\john.doe
{segment1}\{segment2}.{segment3}.

Then, in the 3rd argument of replace command, we're displaying the captured segments as per our need (dropping segment1 and adding a space between segment2 and segment3). You can playaround with runanywhere search to get feel of the replace command.

| gentimes start=-1 | eval UserName="DDFDF\john.doe" | table UserName | eval UserName1=replace(UserName,"(\w+)\\\(\w+)\.(\w+)","seg1: \1, seg2: \2, seg3: \3")
0 Karma

erickyi
Path Finder

assuming your line is BDDLOX3855\john.doe value (format is domain\username
The following reg should work

"^(?P<testDomain>[^\\\]+)\\\(?P<testFirstname>[a-z^\.]+)\.(?P<testLastname>[a-z^\s]+)\s"

Note, I have also split the username to firstname and lastname. This should give you more flexibility

0 Karma

johnward4
Communicator

I wasn't able to get this to work, I'm really trying to grasp using regex so if would you mind explaining the regex you use to help me better understand how to write it myself? I'm also not really interested in creating new fields for first name and another for last name. It was mostly a would be nice if possible, to replace the . with a space show my output for UserName showed first name last name

0 Karma

erickyi
Path Finder

hi john,

dissecting the regex ... it is {from beginning of line}{extract the first token}{delimiter of backslash}{extract the 2nd token which is testFirstname}{delimiter of dot}{extract the 3rd token which is testLastname}{delimiter of space}

Details
1. (?Pregular pattern here) is the format to extract a field

  1. understand the regular expression [] syntax

    e.g. [a-z]+ means any characters (one or more) that is from "a" to "z"
    [A-Z]+means any characters (one or more) that is from "A" to "Z"
    [0-9]+ means any numeric characters

  2. the escape sequence in regex which is the "\".
    note \s means space

  3. ^ has double meaning - beginning of the line or if it is inside [], then it means any character that is NOT the next character.
    e.g [^\] means any character that is not your backslash
    [^.] means any character that is not a dot
    [^\s] means any character that is not a space

To make it easy, you can use the field extraction wizard from Splunk web but I found the generated regex inflexible and can't handle all the cases. I normally have to tweak the generated regex .

Hope this helps.

0 Karma

sbbadri
Motivator

try this

your search | eval UserName= replace(UserName,".",". ")

0 Karma

johnward4
Communicator

This eval replaced the field data with .............. only and didn't cut the domain\ leaving just the user name as I'm looking to do

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In September, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...