regex to find domain\account

zaynaly · ‎01-31-2018

This is the regex I have, though not finding anything..:

|rex "(?<account>\w{2,6}\\.{3,15})"

example of domain and usernames:
bla\johnny99
tstbla\wawster
ble\kd0493487

mayurr98 · ‎01-31-2018

hey Try this run anywhere search

| makeresults 
| eval raw="bla\johnny99 tstbla\wawster ble\kd0493487" 
| makemv raw
| mvexpand raw
| rex field=raw "(?<domain>\w{2,6})\\\\(?<account>.{3,15})"

In your environment, you shuld try

<your_base_saerch> 
| rex field=_raw "(?<domain>\w{2,6})\\\\(?<account>.{3,15})"

let me know if this helps!

somesoni2 · ‎01-31-2018

Try this

|rex "(?<account>\w{2,6}\\\\.{3,15})"

gokadroid · ‎01-31-2018

Lets say you already have this combined information (xxxxxx\yyyyyy) in a field call data then you can try this:

your query to return field data
| rex field=data "(?<firstPart>[^\\]+)\\(?<secondPart>.*)"
| table firstPart, secondPart

where
Field firstPart is everything before a \
Field secondPart is everything after a \

regex to find domain\account

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!