- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you extract user names from a field tha...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Experts,
I have a data field called "userId" (FirstName.LastName@DomainName) in one of my data sources. Is there a way to create a new field called "user" just by extracting the "FirstName.LastName" part from the "userId" field ?
Thank you in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PanIrosha,
Try
your search|rex field=userId "(?<user>\w+\.\w+)"
In case your names contain digits and - (hyphen) then use,
your search|rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PanIrosha,
Try
your search|rex field=userId "(?<user>\w+\.\w+)"
In case your names contain digits and - (hyphen) then use,
your search|rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Renjith,
Thank you very much for the quick response. will you be able to tell me how to create the field adding this this please ? i am quite new to splunk
Thank you 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @renjith.nair
the regex worked fine in my search. apparently , we have few few naming conventions. some are just firstname@domain.com. can you help me to create a regex that detect "everything" before @ sign ?
Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PanIrosha,
Ok, try this and upvote if it worked 🙂
|rex field=userId "(?<user>.+?(?=@))"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith.nair
wow. that work like a charm. thank you very much. this regex work fine when i run in the search bar. i can see the field getting extracted. but how can i save this extraction permanently ?
i tried to save this as a field extraction in Settings > Fields > Filed Extraction. below are the settings for this extraction
Destination App: Search
Name: User_field_extract
Sourcetype: SourceTypeName
Type: inline
Extraction and Transform: rex field=userId "(?<user>.+?(?=@))"
App Permission: Global
in the search bar, i can get the extracted field when i search with index name
index=asa | rex field=userId "(?<user>.+?(?=@))"
but it doesn't return any results when i search with the sourcetype, source or host.
any idea wht might be the reason ?
Thank you very much Renjith.
NOTE: i am using your exact regex command given in your answers.
Regards
Irosha
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PanIrosha ,
Hi Irosha,
Since the search works fine with index=, then the field extraction is working.
If you haven't given any index name in the search, there is a property in the user role called Indexes searched by default which will be looked against to find out the indexes the search should consider by default. Unless you change that property , by default it has only main index. You can change that by Settings -> Access controls » Roles » "your role name" and scroll down to find Indexes searched by default
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@renjith.nair
thank you for the prompt response. did i use the correct way to create the field extraction ? is there anything need to be added ?
i tried to save this as a field extraction in Settings > Fields > Filed Extraction. below are the settings for this extraction
Destination App: Search
Name: User_field_extract
Sourcetype: SourceTypeName
Type: inline
Extraction and Transform: rex field=userId "(?.+?(?=@))"
App Permission: Global
Thank you very much.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PanIrosha,
the user field will be created as its used in the named group. Run the below example to check
| makeresults |eval userId="FirstName.LastName@abc.com" |rex field=userId "(?<user>[\w0-9-]+\.[\w0-9-]+)"
What goes around comes around. If it helps, hit it with Karma 🙂
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
Splunk Education Goes to Washington | Splunk GovSummit 2024
