I have logs that looks like thos
1:
So I would like to extract the username from two systems named system1 and system2, when trying to do this in Splunk it fails using a regex that works when I try it outside Splunk
(?i)(system1|system2)(?-i) (?<SYS_Username>[A-z]+).*
If i do
(?i)system1(?-i) (?<SYS_Username>[A-z]+).*
It works perfect, but only for one system.. The problem seems to come when i introduce the ( | ) syntax.
Hi,
Could you try that :
(?i)(?:system1|system2)(?-i) (?<SYS_Username>[A-z]+).*
(?:) says "don't capture"
Alex
Hi,
Could you try that :
(?i)(?:system1|system2)(?-i) (?<SYS_Username>[A-z]+).*
(?:) says "don't capture"
Alex