Parsing IIS log - remove part of string

frumat_l · October 8, 2017, 7:52am

Hi,

I have IIS log, example :
2017-10-01 08:29:30 10.70.4.52 GET /Lists/NewsFeed/AllItems.aspx AjaxDelta=1 80 0#.w|mad\sp3_dev 10.70.4.52 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) http://sppanoramadev/Shared%20Documents/Forms/AllItems.aspx 200 0 0 327

grok line I'm running is:
"%{TIMESTAMP_ISO8601:log_timestamp} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{POSINT:port} %{NOTSPACE:username} %{IP:clientIP} %{NOTSPACE:userAgent} %{URI:URL} %{NUMBER:response}"

the username output is "0#.w|mad\sp3_dev"
I need o parse only the username without all the characters and domain name "0#.w|mad"
This "|" is a pipe line character.

how can I do it?

warkolm · October 8, 2017, 8:00am

You could use the KV filter on that | to split it, then throw away the first part.

magnusbaeck · October 8, 2017, 9:07am

Duplicate of Grok username in iis log.

warkolm · October 8, 2017, 9:21am

Thanks, we'll close this one in favour of that one as it's the original