https://community.splunk.com/t5/Splunk-Search/Need-help-to-identify-user-field-in-my-current-search-string/m-p/340307#M100928 <P>That's looking like unix log records. Your best bet is to take all the events from about 30 seconds before to ten seconds after and look at each one. </P> <P>Here's a set of log records I stole for reference off of <A href="https://unix.stackexchange.com/questions/250196/how-to-track-who-added-sudo-privilege-to-a-user">stackexchange</A> ...</P> <PRE><CODE>$ cat /var/log/auth.log | grep -i xyz Dec 18 18:54:51 pandya-desktop sudo: pandya : TTY=pts/2 ; PWD=/home/pandya ; USER=root ; COMMAND=/usr/sbin/useradd xyz Dec 18 18:54:51 pandya-desktop useradd[7763]: new group: name=xyz, GID=1002 Dec 18 18:54:51 pandya-desktop useradd[7763]: new user: name=xyz, UID=1002, GID=1002, home=/home/xyz, shell= Dec 18 18:55:51 pandya-desktop sudo: pandya : TTY=pts/2 ; PWD=/home/pandya ; USER=root ; COMMAND=/usr/sbin/usermod -a -G group xyz Dec 18 18:55:57 pandya-desktop sudo: pandya : TTY=pts/2 ; PWD=/home/pandya ; USER=root ; COMMAND=/usr/sbin/usermod -a -G sudo xyz Dec 18 18:55:57 pandya-desktop usermod[7872]: add 'xyz' to group 'sudo' Dec 18 18:55:57 pandya-desktop usermod[7872]: add 'xyz' to shadow group 'sudo' </CODE></PRE> <P>Your search is keying off the last record. </P> <P>The immediately prior set of records indicate that the user involved in altering user xyz was <CODE>USER=root</CODE>. (Really helpful, right?)</P> <P>The one other thing I noticed, poking around a bit, is that sometimes there will be a logoff right after the person does this. You might see something like "connection closed by 1.2.3.4" . So, that could be a clue too.</P> Tue, 01 Aug 2017 19:32:14 GMT DalJeanis 2017-08-01T19:32:14Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-identify-user-field-in-my-current-search-string/m-p/340305#M100926 <P>Below is my search string:</P> <PRE><CODE>index=* host=* sourcetype="*" "usermod" "add" "to shadow group" | rex "^(?:[^'\n]*'){3}(?P&lt;addedToGroup&gt;\w+)" | rex "^[^'\n]*'(?P&lt;userInGroup&gt;\w+)" </CODE></PRE> <P>This search shows me which user was added to which group but I really need it to show WHO added the user to the group. I can't figure out how to find the actual user who ran the usermod command. What do I need to do to get that field?</P> Tue, 01 Aug 2017 17:27:42 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-identify-user-field-in-my-current-search-string/m-p/340305#M100926 jcorkey 2017-08-01T17:27:42Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-identify-user-field-in-my-current-search-string/m-p/340306#M100927 <P>Can you share a sample event? Do you know if the raw data contains who ran the command?</P> Tue, 01 Aug 2017 18:10:24 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-identify-user-field-in-my-current-search-string/m-p/340306#M100927 somesoni2 2017-08-01T18:10:24Z https://community.splunk.com/t5/Splunk-Search/Need-help-to-identify-user-field-in-my-current-search-string/m-p/340307#M100928 <P>That's looking like unix log records. Your best bet is to take all the events from about 30 seconds before to ten seconds after and look at each one. </P> <P>Here's a set of log records I stole for reference off of <A href="https://unix.stackexchange.com/questions/250196/how-to-track-who-added-sudo-privilege-to-a-user">stackexchange</A> ...</P> <PRE><CODE>$ cat /var/log/auth.log | grep -i xyz Dec 18 18:54:51 pandya-desktop sudo: pandya : TTY=pts/2 ; PWD=/home/pandya ; USER=root ; COMMAND=/usr/sbin/useradd xyz Dec 18 18:54:51 pandya-desktop useradd[7763]: new group: name=xyz, GID=1002 Dec 18 18:54:51 pandya-desktop useradd[7763]: new user: name=xyz, UID=1002, GID=1002, home=/home/xyz, shell= Dec 18 18:55:51 pandya-desktop sudo: pandya : TTY=pts/2 ; PWD=/home/pandya ; USER=root ; COMMAND=/usr/sbin/usermod -a -G group xyz Dec 18 18:55:57 pandya-desktop sudo: pandya : TTY=pts/2 ; PWD=/home/pandya ; USER=root ; COMMAND=/usr/sbin/usermod -a -G sudo xyz Dec 18 18:55:57 pandya-desktop usermod[7872]: add 'xyz' to group 'sudo' Dec 18 18:55:57 pandya-desktop usermod[7872]: add 'xyz' to shadow group 'sudo' </CODE></PRE> <P>Your search is keying off the last record. </P> <P>The immediately prior set of records indicate that the user involved in altering user xyz was <CODE>USER=root</CODE>. (Really helpful, right?)</P> <P>The one other thing I noticed, poking around a bit, is that sometimes there will be a logoff right after the person does this. You might see something like "connection closed by 1.2.3.4" . So, that could be a clue too.</P> Tue, 01 Aug 2017 19:32:14 GMT https://community.splunk.com/t5/Splunk-Search/Need-help-to-identify-user-field-in-my-current-search-string/m-p/340307#M100928 DalJeanis 2017-08-01T19:32:14Z