https://community.splunk.com/t5/Security/Extract-username-with-comma/m-p/60633#M2030 <P>I have the following syslog</P> <P>Jan 30 14:34:05 10.234.150.21 Jan 30 13:34:05 DEN-COLO-VBN-CTRL-01 stm[10699]: &lt;305007&gt; <INFO> <DEN-COLO-VBN-CTRL-01 10.234.150.21=""> AP Smith, John replacement bootstrapped</DEN-COLO-VBN-CTRL-01></INFO></P> <P>I am trying to extract "John Smith" as the username. The closest I have gotten so far:</P> <P>(?:[^-\n]*-){8}\d+\s+\d+.\d+.\d+.\d+&gt;\s+\w+\s+(?P<FIELDNAME2>[^,]+),(?P<FIELDNAME1>\s+\w+)</FIELDNAME1></FIELDNAME2></P> <P>which extracts "John" as the First Name and "Smith" as the last name. Can I concatenate the two somehow? Also having the username as "Smith, John" would work as well.</P> <P>Any thoughts?</P> Mon, 30 Jan 2012 20:42:50 GMT loorimar 2012-01-30T20:42:50Z https://community.splunk.com/t5/Security/Extract-username-with-comma/m-p/60633#M2030 <P>I have the following syslog</P> <P>Jan 30 14:34:05 10.234.150.21 Jan 30 13:34:05 DEN-COLO-VBN-CTRL-01 stm[10699]: &lt;305007&gt; <INFO> <DEN-COLO-VBN-CTRL-01 10.234.150.21=""> AP Smith, John replacement bootstrapped</DEN-COLO-VBN-CTRL-01></INFO></P> <P>I am trying to extract "John Smith" as the username. The closest I have gotten so far:</P> <P>(?:[^-\n]*-){8}\d+\s+\d+.\d+.\d+.\d+&gt;\s+\w+\s+(?P<FIELDNAME2>[^,]+),(?P<FIELDNAME1>\s+\w+)</FIELDNAME1></FIELDNAME2></P> <P>which extracts "John" as the First Name and "Smith" as the last name. Can I concatenate the two somehow? Also having the username as "Smith, John" would work as well.</P> <P>Any thoughts?</P> Mon, 30 Jan 2012 20:42:50 GMT https://community.splunk.com/t5/Security/Extract-username-with-comma/m-p/60633#M2030 loorimar 2012-01-30T20:42:50Z https://community.splunk.com/t5/Security/Extract-username-with-comma/m-p/60634#M2031 <P>You can use an eval command to create a new field:</P> <P>| eval fullname= fieldname1 . " " . fieldname2</P> <P>That'll create a field called fullname that's = "John Smith"</P> <P>Brian</P> Mon, 30 Jan 2012 21:14:35 GMT https://community.splunk.com/t5/Security/Extract-username-with-comma/m-p/60634#M2031 Brian_Osburn 2012-01-30T21:14:35Z https://community.splunk.com/t5/Security/Extract-username-with-comma/m-p/60635#M2032 <P>Thanks Brian,</P> <P>That's very cool. Ideally I would like to have this extracted into a single field at search time so I don't have to eval it as part of the search.</P> Mon, 30 Jan 2012 21:19:03 GMT https://community.splunk.com/t5/Security/Extract-username-with-comma/m-p/60635#M2032 loorimar 2012-01-30T21:19:03Z