Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Stumped on this regex
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I'm trying to pull the user ID from the below data? The userids are: mspeer2, ddaniel, mirella, jcrews
I have a regex of
rex "(?i)^(?:[^\-]*\-){7}\"\s+\"(?P<loginid>[^\"]+)"
but it isn't working 100% (more like 50%)
"something.something.com" 75.27.137.133 "75.27.137.133" - - [15/Oct/2016:20:58:26 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 352093 0 UCT-193960 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-" "mspeer2"
"something.something.com" 104.57.183.12 "104.57.183.12" - - [15/Oct/2016:20:58:04 -0500] "GET /rest/icontrol/login HTTP/1.1" 200 158 0 UCT-42064 "-" "HCM-R1" "-" "ddaniel"
"something.something.com" 70.117.114.84 "70.117.114.84" - - [15/Oct/2016:20:55:14 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 135730 0 UCT-82180 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-" "mirella"
8:43:57.000 PM
"something.something.com" 70.114.175.247 "70.114.175.247" - - [15/Oct/2016:20:43:57 -0500] "GET /rest/icontrol/login?expand=instances,points,functions HTTP/1.1" 200 99115 0 UCT-81322 "-" "-" "-" "jcrews"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the login name is always the last one to occur in the log line then u can try below:
.*\"(?<loginid>[^\"]+)\"$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the login name is always the last one to occur in the log line then u can try below:
.*\"(?<loginid>[^\"]+)\"$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Gokadroid!
Many thanks! I've been working on figuring that out for a long time!!! Yours works great!!!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No need to include all the text in front and " does not need to be escaped in the [], so this should do \"(?<loginid>[^"]+)\"$
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome!! If you can upvote the answer as well that will be great !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool..thanks a lot @dbcase ...Happy Splunking!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you! You don't know how much this helped!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
whups, sorry Ignore the 8:43:57 on the last event sample. Cut and Paste error
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
