Splunk Search

regex to find domain\account

Explorer

This is the regex I have, though not finding anything..:

|rex "(?<account>\w{2,6}\\.{3,15})"

example of domain and usernames:
bla\johnny99
tstbla\wawster
ble\kd0493487

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

hey Try this run anywhere search

| makeresults 
| eval raw="bla\johnny99 tstbla\wawster ble\kd0493487" 
| makemv raw
| mvexpand raw
| rex field=raw "(?<domain>\w{2,6})\\\\(?<account>.{3,15})"

In your environment, you shuld try

<your_base_saerch> 
| rex field=_raw "(?<domain>\w{2,6})\\\\(?<account>.{3,15})"

let me know if this helps!

0 Karma

SplunkTrust
SplunkTrust

Try this

|rex "(?<account>\w{2,6}\\\\.{3,15})"
0 Karma

Motivator

Lets say you already have this combined information (xxxxxx\yyyyyy) in a field call data then you can try this:

your query to return field data
| rex field=data "(?<firstPart>[^\\]+)\\(?<secondPart>.*)"
| table firstPart, secondPart

where
Field firstPart is everything before a \
Field secondPart is everything after a \

0 Karma