Hi
How to extract these users using Regex? I need user=eerfe33, nrt123,..
file:_C:\Users\eerfe33\Documents....
file:_C:\Users\nrt123\Downloads....
This works in a search
... | rex "Users\\(?<user>[^\\]+)" | ...
This works in a search
... | rex "Users\\(?<user>[^\\]+)" | ...
Try this
.... | rex (Users\\(?<users>[^\\]+)"
Thanks for the reply! I'm getting error:
Error in 'rex' command: Encountered the following error while compiling the regex 'Users\(?[^\]+)': Regex: missing terminating ] for character class
Search:
index=... sourcetype=...|rex "(Users\\(?[^\\]+)"
The results are in field
file_path= file:_C:\Users\eerfe33\Documents.... , file:_C:\Users\nrt123\Downloads...., file:_C:\Users\ab_ww22\AppData\
Each backslash in the rex command must be escaped (doubled). As the command reads now, the closing bracket is escaped and therefore not interpreted as a closing bracket.
If your data consists of multiple file paths in a single field then the rex command should be changed slightly.
rex field=file_path max_match=0 "Users\\(?<user>[^\\]+)"
This will put all user names into a single multivalue field called 'user'. Use the mv commands to extract the individual user names.
This is the raw event:
"2016-06-17 11:29:30" timestamp="2016-06-17 11:29:30.227",ID="72", product="dsd", type="Incident", dest="LT", dest_nt="TH", date="2016-06-17 11:29:30.227", actiontime="2016-06-17 11:29:49.0", version="4.9", detid="11E6", FullName="NT", UserSID="NULL", src="realtime", UID="17", file_name="C:\Program Files\..", file_path="file:_C:\Users\eerfe33\Documents\...", sig="dfg", severity="Severe", category="PA", action="noaction"