Parsing IIS log - remove part of string


I have IIS log, example :
2017-10-01 08:29:30 GET /Lists/NewsFeed/AllItems.aspx AjaxDelta=1 80 0#.w|mad\sp3_dev Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+6.2;+WOW64;+Trident/6.0;+.NET4.0E;+.NET4.0C;+.NET+CLR+3.5.30729;+.NET+CLR+2.0.50727;+.NET+CLR+3.0.30729) http://sppanoramadev/Shared%20Documents/Forms/AllItems.aspx 200 0 0 327

grok line I'm running is:
"%{TIMESTAMP_ISO8601:log_timestamp} %{IP:serverIP} %{WORD:method} %{URIPATH:uriStem} %{NOTSPACE:uriQuery} %{POSINT:port} %{NOTSPACE:username} %{IP:clientIP} %{NOTSPACE:userAgent} %{URI:URL} %{NUMBER:response}"

the username output is "0#.w|mad\sp3_dev"
I need o parse only the username without all the characters and domain name "0#.w|mad"
This "|" is a pipe line character.

how can I do it?

You could use the KV filter on that | to split it, then throw away the first part.

Duplicate of Grok username in iis log.

Thanks, we'll close this one in favour of that one as it's the original :slight_smile: