- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Any regex masters out there?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Working on a regex for a script log. Need to pull out user:
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest SMSNomadP2P&
The command completed with one or more errors.
Would work for the first account but wont grab the rest
-\s(?<field1>\S+)
Any ideas?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was pretty tough; try this:
(?ms)(?<=[\r\n]|\s{2})(?<field1>[^\r\n\s\-]+)(?=.*[\r\n])
This captures every username, regardless of how many appear, as a multi-valued field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That was pretty tough; try this:
(?ms)(?<=[\r\n]|\s{2})(?<field1>[^\r\n\s\-]+)(?=.*[\r\n])
This captures every username, regardless of how many appear, as a multi-valued field.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@woodcock Nice work man, I banged my head on this one for a while before posting here and quite a while after.
+1000 points for that work man, I appreciate it greatly
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
btw threw that in a transform and added mv_add = true then updated props......good to go
Thanks again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome. Another thing to consider: If you use this in a rex command, you might need to set the max_match parameter to something other than 1.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Once you remove that hyphen off the front, that regex matches each of them, according to regex101.com. Your regex depends on there being a whitespace character immediately before the value you are trying to pull. Check to validate that there is one. Can you show us what the entire line of data looks like?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That IS the entire log, nothing more to show. If you remove the hypen it matches much more than the account names according to regex101.com, I used the hypen to match the beginning.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ah, so it's a single multi-line returned value, and you only want the line immediately after the line of hyphens. Got it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What values you wan to capture, Administrator, Guest, SMSNomadP2P& or all?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes just the user names
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
