Solved: Regular Expression to Extract a username out after...

zzaveri · ‎01-11-2018

Hi All,

I am attempting to do a field extraction using regular expression and I am having some trouble. I have the following syslog message below from a test Juniper firewall. The username I am logging in with is jdoe-2fa and I have other users that have usernames as well with "-2fa" in their username. What I am trying to do is create a regular expression that searches for -2fa but extracts the actual full username jdoe-2fa so that I can create a field called user.

Jan 9 07:35:16 192.168.1.254 firewall001: NetScreen device_id=firewall001 [Root]system-warning-00515: Admin user jdoe-2fa/904744 has logged on via SSH from 192.168.1.100:53429 (2018-01-09 15:35:15)

mayurr98 · ‎01-11-2018

Try this

index=<your_index>   | rex field=_raw “user\s(?<user>[^\/]+)” | search user=*-2fa

Let me know if this helps

View solution in original post

mayurr98 · ‎01-11-2018

Try this

index=<your_index>   | rex field=_raw “user\s(?<user>[^\/]+)” | search user=*-2fa

Let me know if this helps

micahkemp · ‎01-11-2018

Your double quotes came across wrong.

| rex field=_raw "user\s(?<user>[^\/]+)"

zzaveri · ‎01-11-2018

Thank you that resolved the issue.

micahkemp · ‎01-11-2018

If the answer solved your issue, please accept it so the question looks resolved.

zzaveri · ‎01-11-2018

I get the following message

Error in 'SearchParser': Missing a search command before '^'. Error at position '55' of search query 'search index="indexname" | rex field=_raw “user\s(?[^\/]+)” |}'.

mayurr98 · ‎01-11-2018

What query are you running?put it in 101010 sample code

micahkemp · ‎01-11-2018

Actually this seems closer to what was asked for. At first I was thinking it was asked to separate the -2fa from the rest of the username, but at second glance that doesn’t appear to be the case.

mayurr98 · ‎01-11-2018

No worries happens 🙂 You are doing quite well .conf18 pass for this month is mostly yours !

micahkemp · ‎01-11-2018

Hopefully we'll both get to go and enjoy some beverages!

It's basically this month or bust for me. They'll put me back to work next month, so I won't have nearly as much time to post on answers.

mayurr98 · ‎01-11-2018

Yeah I hope so all the best !

micahkemp · ‎01-11-2018

Run anywhere example:

| makeresults | eval _raw="Jan 9 07:35:16 192.168.1.254 firewall001: NetScreen device_id=firewall001 [Root]system-warning-00515: Admin user jdoe-2fa/904744 has logged on via SSH from 192.168.1.100:53429 (2018-01-09 15:35:15)"
| rex "user (?<full_user>(?<no_2fa_user>[^\/]+?)(-2fa)?)\/"

Regular Expression to Extract a username out after matching a Specific String of Characters

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine

Are you a member of the Splunk Community?

Regular Expression to Extract a username out after matching a Specific String of Characters

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Fun with Regular Expression - multiples of nine