Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to write the regex for field extraction or rex of a username in my sample data?

ccsfdave
Builder
‎01-23-2015 12:45 PM

Greetings,

I have been banging my head against the wall most of the morning on this. I am trying to create a field extraction or runtime rex to pull out the username from this raw text:

Jan 22 19:48:00 10.1.2.3 %ASA-6-302016: Teardown UDP connection 152169465 for outside:10.3.2.1/137 to outside:10.3.2.255/137 duration 0:02:03 bytes 150 (mickey_mouse)

obviously the username is mickey mouse in my example - but I cannot extract without the parentheses and can't get rex going at all.

Can someone with more regex knowledge lend me a hand?

Thanks so much,

Dave

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-23-2015 12:49 PM 
| rex "\((?<username>[\w_]+)\)$"

where [\w_] contains all potential characters used in usernames.

Check out this tool: https://regex101.com/#pcre
It makes testing regular expressions easy

View solution in original post

Reply
Solved! Jump to solution

lasnow
Explorer
‎01-23-2015 12:50 PM

Maybe something like this, as long as the only parens are the ones around the username?

rex "\((?<username>[^\)]*)\)"
0 Karma
Reply
Solved! Jump to solution
Solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-23-2015 12:49 PM 
| rex "\((?<username>[\w_]+)\)$"

where [\w_] contains all potential characters used in usernames.

Check out this tool: https://regex101.com/#pcre
It makes testing regular expressions easy

Reply
Solved! Jump to solution

ccsfdave
Builder
‎01-23-2015 12:54 PM

Just so I fully understand, \w will match letters and numbers? the following underscore necessitates and underscore the the + says keep going but what part of this excludes the opening and closing parentheses?

Thanks

BTW, this worked!

0 Karma
Reply
Solved! Jump to solution

aljohnson_splun
Splunk Employee
Splunk Employee
‎01-23-2015 01:50 PM

The \w metacharacter is used to find a word character. A word character is a character from a-z, A-Z, 0-9, including the _ (underscore) character.

So actually, adding the underscore was redundant. Basically anything in the brackets [ ] is the set of symbols allowed. The plus says one or more.

When we put a backslash before the first parenthesis, we tell the regex engine to treat the parenthesis as a literal parenthesis. It is called 'escaping' the character. So if you wanted to match a literal plus, you'd need type \+, otherwise it will be interpreted as a metacharacter.

So in the beginning, we say \( for the first parenthesis, a literal
Then we open a capture group with parenthesis and name the field (? username
Specify our possible letters with [\w]
Specify we want more than 0 with +
Close the capture group with the parenthesis )
Then we once again say we want to match (not capture) a literal parenthesis with \)
Lastly, we say it needs to be at the very end of the line with a $

Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...