Splunk Search

Stumped on this regex

Motivator

Hi,

I'm trying to pull the user ID from the below data? The userids are: mspeer2, ddaniel, mirella, jcrews

I have a regex of

rex "(?i)^(?:[^\-]*\-){7}\"\s+\"(?P<loginid>[^\"]+)"

but it isn't working 100% (more like 50%)

  "something.something.com" 75.27.137.133 "75.27.137.133" - - [15/Oct/2016:20:58:26 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 352093 0 UCT-193960 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-"  "mspeer2"

"something.something.com" 104.57.183.12 "104.57.183.12" - - [15/Oct/2016:20:58:04 -0500] "GET /rest/icontrol/login HTTP/1.1" 200 158 0 UCT-42064 "-" "HCM-R1" "-"  "ddaniel"

"something.something.com" 70.117.114.84 "70.117.114.84" - - [15/Oct/2016:20:55:14 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 135730 0 UCT-82180 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-"  "mirella"

8:43:57.000 PM

"something.something.com" 70.114.175.247 "70.114.175.247" - - [15/Oct/2016:20:43:57 -0500] "GET /rest/icontrol/login?expand=instances,points,functions HTTP/1.1" 200 99115 0 UCT-81322 "-" "-" "-" "jcrews"

Tags (2)
0 Karma
1 Solution

Motivator

If the login name is always the last one to occur in the log line then u can try below:

.*\"(?<loginid>[^\"]+)\"$

View solution in original post

Motivator

If the login name is always the last one to occur in the log line then u can try below:

.*\"(?<loginid>[^\"]+)\"$

View solution in original post

Motivator

Hi Gokadroid!

Many thanks! I've been working on figuring that out for a long time!!! Yours works great!!!!

0 Karma

Builder

No need to include all the text in front and " does not need to be escaped in the [], so this should do \"(?<loginid>[^"]+)\"$

0 Karma

Motivator

Awesome!! If you can upvote the answer as well that will be great !!

0 Karma

Motivator

Cool..thanks a lot @dbcase ...Happy Splunking!!

0 Karma

Motivator

Thank you! You don't know how much this helped!

0 Karma

Motivator

whups, sorry Ignore the 8:43:57 on the last event sample. Cut and Paste error

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!