Solved: How to write regex to extract one capture group fo...

kmcconnell · ‎09-16-2014

I have a regex question that I hope will be easy for someone. I’m not big on regexes so I’m coming to you all for help. I have events where the user account is coming in by itself (xyz123) and sometimes with the domain (domain\xyz123), see below. I was able to just pull out the user IDs with a regex, but it had two capture groups instead of just one [U|u]ser\s(?:[\w\.]+\\(\w+)|([\w]+))\s. I’d like to have one capture group that only has the user ID.

[MsgID: 2]The user domain\xyz123 with source IP address

[MsgID: 2]The user xyz123 with source IP address

martin_mueller · ‎09-16-2014

Try this:

[uU]ser\s(?:[\w.]+\\)?(?<user>\w+)\s

...provided I correctly understand your problem 🙂

View solution in original post

MuS · ‎09-16-2014

Hi kmcconnel,

assuming your ID's are always 6 alphanumeric values and are always before with in the events, try this regex:

(?<myUserID>\w{6})(?=\swith)

hope this helps ...

cheers, MuS

martin_mueller · ‎09-16-2014

Try this:

[uU]ser\s(?:[\w.]+\\)?(?<user>\w+)\s

...provided I correctly understand your problem 🙂

kmcconnell · ‎09-17-2014

I tried both approaches and they both work, but the answer from martin_mueller was what I had been working toward. Thank you both for the help.

somesoni2 · ‎09-16-2014

This works fine after added additional backslash after [\w.]+

MuS · ‎09-16-2014

HeHe, too slow again....

How to write regex to extract one capture group for user ID?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life