Splunk Search

Stumped on this regex

Motivator

Hi,

I'm trying to pull the user ID from the below data? The userids are: mspeer2, ddaniel, mirella, jcrews

I have a regex of

rex "(?i)^(?:[^\-]*\-){7}\"\s+\"(?P<loginid>[^\"]+)"

but it isn't working 100% (more like 50%)

  "something.something.com" 75.27.137.133 "75.27.137.133" - - [15/Oct/2016:20:58:26 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 352093 0 UCT-193960 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-"  "mspeer2"

"something.something.com" 104.57.183.12 "104.57.183.12" - - [15/Oct/2016:20:58:04 -0500] "GET /rest/icontrol/login HTTP/1.1" 200 158 0 UCT-42064 "-" "HCM-R1" "-"  "ddaniel"

"something.something.com" 70.117.114.84 "70.117.114.84" - - [15/Oct/2016:20:55:14 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 135730 0 UCT-82180 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-"  "mirella"

8:43:57.000 PM

"something.something.com" 70.114.175.247 "70.114.175.247" - - [15/Oct/2016:20:43:57 -0500] "GET /rest/icontrol/login?expand=instances,points,functions HTTP/1.1" 200 99115 0 UCT-81322 "-" "-" "-" "jcrews"

Tags (2)
0 Karma
1 Solution

Motivator

If the login name is always the last one to occur in the log line then u can try below:

.*\"(?<loginid>[^\"]+)\"$

View solution in original post

Motivator

If the login name is always the last one to occur in the log line then u can try below:

.*\"(?<loginid>[^\"]+)\"$

View solution in original post

Motivator

Hi Gokadroid!

Many thanks! I've been working on figuring that out for a long time!!! Yours works great!!!!

0 Karma

Builder

No need to include all the text in front and " does not need to be escaped in the [], so this should do \"(?<loginid>[^"]+)\"$

0 Karma

Motivator

Awesome!! If you can upvote the answer as well that will be great !!

0 Karma

Motivator

Cool..thanks a lot @dbcase ...Happy Splunking!!

0 Karma

Motivator

Thank you! You don't know how much this helped!

0 Karma

Motivator

whups, sorry Ignore the 8:43:57 on the last event sample. Cut and Paste error

0 Karma