Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Stumped on this regex

dbcase
Motivator
‎10-15-2016 07:07 PM

Hi,

I'm trying to pull the user ID from the below data? The userids are: mspeer2, ddaniel, mirella, jcrews

I have a regex of 

rex "(?i)^(?:[^\-]*\-){7}\"\s+\"(?P<loginid>[^\"]+)"

but it isn't working 100% (more like 50%)

  "something.something.com" 75.27.137.133 "75.27.137.133" - - [15/Oct/2016:20:58:26 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 352093 0 UCT-193960 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-"  "mspeer2"

"something.something.com" 104.57.183.12 "104.57.183.12" - - [15/Oct/2016:20:58:04 -0500] "GET /rest/icontrol/login HTTP/1.1" 200 158 0 UCT-42064 "-" "HCM-R1" "-"  "ddaniel"

"something.something.com" 70.117.114.84 "70.117.114.84" - - [15/Oct/2016:20:55:14 -0500] "GET /rest/icontrol/login?expand=sites,instances,points,functions HTTP/1.1" 200 135730 0 UCT-82180 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 10_0_2 like Mac OS X) AppleWebKit/602.1.50 (KHTML, like Gecko) Mobile/14A456" "-"  "mirella"

8:43:57.000 PM

"something.something.com" 70.114.175.247 "70.114.175.247" - - [15/Oct/2016:20:43:57 -0500] "GET /rest/icontrol/login?expand=instances,points,functions HTTP/1.1" 200 99115 0 UCT-81322 "-" "-" "-" "jcrews"

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gokadroid
Motivator
‎10-15-2016 07:33 PM

If the login name is always the last one to occur in the log line then u can try below:

.*\"(?<loginid>[^\"]+)\"$

View solution in original post

Reply
Solved! Jump to solution
Solution

gokadroid
Motivator
‎10-15-2016 07:33 PM

If the login name is always the last one to occur in the log line then u can try below:

.*\"(?<loginid>[^\"]+)\"$
Reply
Solved! Jump to solution

dbcase
Motivator
‎10-15-2016 07:36 PM

Hi Gokadroid!

Many thanks! I've been working on figuring that out for a long time!!! Yours works great!!!!

0 Karma
Reply
Solved! Jump to solution

lakromani
Builder
‎10-16-2016 12:54 PM

No need to include all the text in front and " does not need to be escaped in the [], so this should do \"(?<loginid>[^"]+)\"$

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎10-15-2016 07:37 PM

Awesome!! If you can upvote the answer as well that will be great !!

0 Karma
Reply
Solved! Jump to solution

gokadroid
Motivator
‎10-15-2016 07:40 PM

Cool..thanks a lot @dbcase ...Happy Splunking!!

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎10-15-2016 07:42 PM

Thank you! You don't know how much this helped!

0 Karma
Reply
Solved! Jump to solution

dbcase
Motivator
‎10-15-2016 07:12 PM

whups, sorry Ignore the 8:43:57 on the last event sample. Cut and Paste error

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...