Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my regex to remove all text before an optional character?

goodsellt
Contributor
‎05-19-2016 02:00 PM

I'm attempting to us rex or a similar function that will be able to help me remove the domain identifier from a username from a list of events where that may not always be present.

The usernames in a list can appear like:
MA\user2
JP\user5
user6
far\user4

The closest thing I've got is: (^[^\\\\]+\\\\)?(?P\w+)

However, that isn't working correctly as I'm getting the MA, JP, etc in my field instead of the text afterward for those which have those identifiers.

Could someone help identify what I may have done wrong? I've been using regexpal.com to do some testing, but on that site, it appears what I'm doing is correct.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎05-19-2016 02:14 PM

Try the following regex instead:

 rex field=yourfield "(?<username>\w+)$"

If your username is likely to contain hyphens or any other special characters not covered by \w+ you might be better off using the following instead:

| rex "(?<username>[^\\\]+)$"

EDIT to indicate this is now tested

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-19-2016 02:21 PM

Try like this

| gentimes start=-1 | eval username="MA\user2 JP\user5 user6 far\user4" | table username |  eval username=replace(username, "\w+(\\\\)+","")
0 Karma
Reply
Solved! Jump to solution

goodsellt
Contributor
‎05-20-2016 07:58 AM

I'd also like to mention this workout out pretty well as well, though in some strange cases it was blanking out the entire username.

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎05-19-2016 02:14 PM

Try the following regex instead:

 rex field=yourfield "(?<username>\w+)$"

If your username is likely to contain hyphens or any other special characters not covered by \w+ you might be better off using the following instead:

| rex "(?<username>[^\\\]+)$"

EDIT to indicate this is now tested

Reply
Solved! Jump to solution

goodsellt
Contributor
‎05-20-2016 07:57 AM

That second regex worked out perfectly for our situation.

0 Karma
Reply
Get Updates on the Splunk Community!

Modern way of developing distributed application using OTel

Recently, I had the opportunity to work on a complex microservice using Spring boot and Quarkus to develop a ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had 3 releases of new security content via the Enterprise Security ...

Archived Metrics Now Available for APAC and EMEA realms

We’re excited to announce the launch of Archived Metrics in Splunk Infrastructure Monitoring for our customers ...