I have a field that looks like this:
UserName=domain\joe_user
I want it to look like this:
UserName=joe_user
How do I take out domain\ using rex?
domain\
Try this
your base search | rex field=UserName "\w+\\(?<UserName>.*)"
OR
your base search | eval UserName=mvindex(split(UserName,"\\"),-1)
View solution in original post
try this
rex field=cs_userdn "\w+\\(?\S+)"
Like this:
... | rex field=UserName mode=sed "s/[^\\\]*\\\//"
