Skip to main content
Question

Parsing out unwanted characters in username

  • January 29, 2026
  • 1 reply
  • 27 views
ShawnR
Forum|alt.badge.img

I am trying to parse out unwanted domain data from a user field that is already being parsed in the parser extension.  So we already have two user variables set [user1] and [user2] and they are being mapped respectively to principal and target user.

The problem I am having is that I want to remove “domain\\” from “domain\\username” but I cannot figure out how.

Current output from bellow parsing “principal.user.userid"Domain\\username"”
 

if [User1] != "" {

            mutate {

                replace => {

                    "user1_field.key" => "User1"

                    "user1_field.value" => "%{User1}"

                }

                on_error => "failed_to_map_User1"

            }

            if ![failed_to_map_User1] {

                mutate {

                    merge => {

                        "target.resource.attribute.labels" => "user1_field"

                    }

                    on_error => "failed_to_merge_User1"

                }

            }

            mutate {

                replace => {

                    "principal.user.userid" => "%{User1}"

                }

                on_error => "failed_to_map_User1_to_user"

            }

        }

        if [User2] != "" {

            if [User1] == "" {

                mutate {

                    replace => {

                        "principal.user.userid" => "%{User2}"

                    }

                    on_error => "failed_to_map_User2"

                }

            }

            else {

                mutate {

                    replace => {

                        "user2_field.key" => "User2"

                        "user2_field.value" => "%{User2}"

                    }

                    on_error => "failed_to_map_User2"

                }

                if ![failed_to_map_User2] {

                    mutate {

                        merge => {

                            "principal.user.attribute.labels" => "user2_field"

                        }

                        on_error => "failed_to_merge_User2"

                    }

                }

            }

        }

1 reply

kentphelps
Staff
Forum|alt.badge.img+11
  • kentphelps
  • Staff
  • February 18, 2026

You should look at using gsub or grok in the mutate filter.  For gsub something like:

mutate {
    gsub => [
        # Replace "domain\" (any characters followed by a backslash) with nothing
        "User1", ".*\\", "",
        "User2", ".*\\", ""
    ]
    on_error => "failed_to_strip_domain_prefix"
}

then you map the variables to the UDM fields.

 

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.