extracting fields

Jananee_iNautix · ‎01-20-2014

Hi,
I have the following log statements
1.Connected to [el2me@star-mf.grgk.com:22]
2.. Connected to [ftpsergr.gregn.com:41]. UserID [egwergrwe]

From the above statements i have to exrtact userid in common.In first log statement e12me is the userid and in second log statement string following the UserID is the userid which i want to extract ie.egwergrwe

i gave the following regex to extract the userid and diplay in table
as
sourcetype="RSBA_LOGS-2" |rex field=_raw "(?:Connected to |UserID)?[(?\S+)(?:@|])" | table userid

But it is not extracting the correct userid .Can anyone help me on the regex.

somesoni2 · ‎01-21-2014

This could be a workaround.

   your base search.. | rex field=_raw "\[(?<userid>[^\]]*)\]$" | rex field=userid "(?<userid>[^@]*)"

No luck so far with single rex.

MuS · ‎01-20-2014

Hi Jananee_iNautix,

try something like this:

(Connected to \[|UserID \[)(?<userid>.+)[\:\]]

here is a good online regex test tool http://www.regexr.com/ where you can test your regex.

hope this helps ...

cheers, MuS

Jananee_iNautix · ‎01-20-2014

It is not extracting the userid.Please help...

extracting fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation

extracting fields

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026