I am attempting to extract a user field from a log file using the following regex:
(?=[^v]*(?:virtual address: |v.*virtual address: ))user:\s+DOMAIN\\(?P<user>[^,]+)
Here is a sample event:
"Dec 7 07:44:31 net.domain.com Dec 07 07:44:31 name02 servic.exe[1124]: Proxy: Client XG RPC session indication, user: DOMAIN\username, virtual address: 127.0.0.1, IMP handle: 0x000000003a5d3a1f, client version: 1.04, build: 1111"
This regex works correctly in regex101 and returns only the username as desired "username". This doesn't find a match in Splunk and I can only seem to get the extraction to work if I omit the backslash and extract the user field as "DOMAIN\username". What is the correct syntax in Splunk to escape a backslash?
... View more