I have a field called "user", i'm trying to extract the username from the string and create a new field called extracted_user that I will later run against an LDAP filter to look up additional AD info.
user field examples:
Smith, John M. (jmsmith)(+)
Doe, Jane P. (jpdoe)(+)
I want to extract the username between the first set of parenthesis "jmsmith" and "jpdoe" respectively.
My current search:
index=network sourcetype=opsec app_rule_name="Track Uncategorized Content" user!=NULL
| rex field=user “((?.*))(“
Right now the search runs, but extracted_user field isn't created and the user field is unchanged. Any help would be greatly appreciated.
You need to escape the parentheses that are part of the string:
| rex field=user "\((?P<extracted_user>[^\(]+)\)\("
Try this:
| rex field=_raw "(?:()(?P\w+)"
I tested this at regex101.com and it seemed to do the trick.
You need to escape the parentheses that are part of the string:
| rex field=user "\((?P<extracted_user>[^\(]+)\)\("
Ohhh, thanks!
| rex field=user “((?.*))(“