I messed up - take out the first “user not found” that deletes the number you are looking for and screws the whole thing up! - I had deleted it in my test but messed up on the one I pasted in!!! so it should be:
rule "Graylog Web Access User Convert"
when
contains(to_string($message.message),"UID=")
then
// create a local to make it slightly less intensive to work with
let robin = to_string($message.message);
let batman = replace(robin, "1914600003", "steveno");
let batman = replace(robin, "100100110010011001001", "tad.sherrill");
let batman = replace(robin, "987324e32874ff32892b2829", "steven.o");
// changed the number of digits count to be required between 6 and 10 {6,10}
let batman = regex_replace("(?<=UID\\=)(?>\\d{6,10})",robin,"USER_NOT_FOUND",false);
set_field("message",batman);
end