Solved: Re: How to write regex to extract one capture grou...

kmcconnell · ‎09-16-2014

I have a regex question that I hope will be easy for someone. I’m not big on regexes so I’m coming to you all for help. I have events where the user account is coming in by itself (xyz123) and sometimes with the domain (domain\xyz123), see below. I was able to just pull out the user IDs with a regex, but it had two capture groups instead of just one [U|u]ser\s(?:[\w\.]+\\(\w+)|([\w]+))\s. I’d like to have one capture group that only has the user ID.

[MsgID: 2]The user domain\xyz123 with source IP address

[MsgID: 2]The user xyz123 with source IP address

martin_mueller · ‎09-16-2014

Try this:

[uU]ser\s(?:[\w.]+\\)?(?<user>\w+)\s

...provided I correctly understand your problem 🙂

View solution in original post

MuS · ‎09-16-2014

Hi kmcconnel,

assuming your ID's are always 6 alphanumeric values and are always before with in the events, try this regex:

(?<myUserID>\w{6})(?=\swith)

hope this helps ...

cheers, MuS

martin_mueller · ‎09-16-2014

Try this:

[uU]ser\s(?:[\w.]+\\)?(?<user>\w+)\s

...provided I correctly understand your problem 🙂

kmcconnell · ‎09-17-2014

I tried both approaches and they both work, but the answer from martin_mueller was what I had been working toward. Thank you both for the help.

somesoni2 · ‎09-16-2014

This works fine after added additional backslash after [\w.]+

MuS · ‎09-16-2014

HeHe, too slow again....

How to write regex to extract one capture group for user ID?

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...