Distinguishing username from domain\username using grok

I am trying to create a grok statement that will pull the username out of a syslog file. When users enter their authentication information for our VPN login, they can put either domain\username, or just username, and either will work. However, I am having an issue trying to capture just the username using a grok statement. Below is my grok statement:
%{SYSLOGPROG:syslog_pri} %{TIMESTAMP_ISO8601} %{SYSLOGHOST:@hostname} PulseSecure: - - - %{TIMESTAMP_ISO8601} - %{HOSTNAME:NetworkDeviceName} - [%{IPV4:source_ip_address}]( | domain\)%{USERNAME:user}%{GREEDYDATA:syslog_message}
However, it always just captures the domain name as the username. Am I using the correct regex for instances where there can be either a space, then username, or space, domain\username, after the IP address?
Edit: when I posted this here, it does not show the escape backslash after the domain name, but it is there in my grok statement.

Rather than using alternation I would use ? (zero or more) around the domain

%{IPV4:source_ip_address}] (domain\)?%{USERNAME:user}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.