Splunk Search

Stumped on this regex

dbcase
Motivator

Hi,

I'm trying to pull the user ID from the below data? The userids are: mspeer2, ddaniel, mirella, jcrews

I have a regex of

rex "(?i)^(?:[^\-]*\-){7}\"\s+\"(?P<loginid>[^\"]+)"

but it isn't working 100% (more like 50%)

  "something.something.com" 75.27.137.133 "75.27.137.133" - - [15/Oct/2016:20:58:26 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 352093 0 UCT-193960 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-"  "mspeer2"

"something.something.com" 104.57.183.12 "104.57.183.12" - - [15/Oct/2016:20:58:04 -0500] "GET /rest/icontrol/login HTTP/1.1" 200 158 0 UCT-42064 "-" "HCM-R1" "-"  "ddaniel"

"something.something.com" 70.117.114.84 "70.117.114.84" - - [15/Oct/2016:20:55:14 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 135730 0 UCT-82180 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-"  "mirella"

8:43:57.000 PM

"something.something.com" 70.114.175.247 "70.114.175.247" - - [15/Oct/2016:20:43:57 -0500] "GET /rest/icontrol/login?expand=instances,points,functions HTTP/1.1" 200 99115 0 UCT-81322 "-" "-" "-" "jcrews"

Tags (2)
0 Karma
1 Solution

gokadroid
Motivator

If the login name is always the last one to occur in the log line then u can try below:

.*\"(?<loginid>[^\"]+)\"$

View solution in original post

gokadroid
Motivator

If the login name is always the last one to occur in the log line then u can try below:

.*\"(?<loginid>[^\"]+)\"$

dbcase
Motivator

Hi Gokadroid!

Many thanks! I've been working on figuring that out for a long time!!! Yours works great!!!!

0 Karma

lakromani
Builder

No need to include all the text in front and " does not need to be escaped in the [], so this should do \"(?<loginid>[^"]+)\"$

0 Karma

gokadroid
Motivator

Awesome!! If you can upvote the answer as well that will be great !!

0 Karma

gokadroid
Motivator

Cool..thanks a lot @dbcase ...Happy Splunking!!

0 Karma

dbcase
Motivator

Thank you! You don't know how much this helped!

0 Karma

dbcase
Motivator

whups, sorry Ignore the 8:43:57 on the last event sample. Cut and Paste error

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...