I would like to capture the word unknown and anything after abcd, abcd.com\ and unknown
unknown
abcd\svc-backup
abcd\swt034
abcd\svc-app-login
abcd.com\chi572
abcd\daj144
abcd\smi556
abcd\mki317
abcd\aiw014
abcd\joh488
abcd\ymc965
abcd\jet041
abcd\rjo220
abcd\mst790
abcd.com\sre590
It captures fine with the regex
https://regex101.com/r/c9vdia/2/
But when I use this in the Splunk search its just throwing my domain
index="paloalto"
| table user
| rex field=user "(?P<user_name>((?:abcd\([A-Za-z0-9-]+|\w+)))"
I am only getting the domain name (abcd) but users without domain looks good.
firstname.lastname
? – revo)
by escaping it. See regex101.com/r/v08cz7/2. Try(?P<user_name>(?:abcd.*\\)([A-Za-z0-9-]+)|\w+.?)
Note that if you want to match the dot literally you have to escape it. Demo – The fourth bird(?P<user_name>(?:abcd[^\\]*\\)([A-Za-z0-9]+(?:-[A-Za-z0-9]+)*)|\w+\.?)
See regex101.com/r/oW65Fr/1 – The fourth bird