What's the most efficient way to extract the user name from these messages:
Message=Self-service Plug-in started (user=DOMAINX\a123456)
Message=Self-service Plug-in started (user=DOMAINY\c123456)
Thanks
\\(?<user>(\w|\d+)*) should do it...
Error in 'rex' command: Encountered the following error while compiling the regex '(?(\w|\d+)*)': Regex: unmatched parentheses
right ; -)
| rex field=data "\\\(?<user>(\w|\d)*)"
three slashes - the editors mistreat them ....
Like this:
... | rex field=Message "\(user=(?<user>[^\)]+)"
Nice,
user="DOMAINY\L123456"
Can we drop the domain or separate it?
Like this:
... | rex field=Message "\(user=(?<domain>[^\\\]+)\\\(?<user>[^\)]+)"
Nice thanks!
Hi @smudge797
Glad you found a solution through @woodcock and gave him an upvote, but please don't forget to click "Accept" directly below his answer to resolve the question. Thanks!
Done!
Thanks.
I'm not sure if it's the most efficient, but it's one of the simplest.
... | rex field=Message "\\(?<userName>[^\)]*)" | ...
The leading backslash needs to be escaped. Otherwise, it escapes the left paren.
Error in 'rex' command: Encountered the following error while compiling the regex '\(?[^\)]*)'
: Regex: unmatched parentheses
Hi,
props.conf
[<<sourcetype>>>]
.
.
.
EXTRACT-user = \\(?<user_wo_domain>[^\)]+)\)$
Hope i help you