https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331566#M160762 <P>You can create a field extraction (using a regex, or the field extractor mentioned by Adonio above). And name the field you created, to be SUDO_ORIGIN.</P> <P>Assuming that the event always has something like "sudo[somenumber]: sudo_username "<BR /> example of inline regex : </P> <PRE><CODE>mysearch_for_sudo_events | rex "sudo\[\d+\]: (?&lt;SUDO_ORIGIN&gt;\w+) :" | table _time SUDO_ORIGIN _raw </CODE></PRE> Fri, 09 Jun 2017 17:10:17 GMT yannK 2017-06-09T17:10:17Z https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331564#M160760 <P>Hello,</P> <P>i'm a newbie in the world of splunk and i would know how i can add this <STRONG>word</STRONG> to make it a field</P> <P>My log is :</P> <P>&lt;85&gt;Jun 9 14:00:58 ccstcasi sudo[10277]: <STRONG>splunker</STRONG> : TTY=pts/0 ; PWD=/home/splunker ; USER=root ; COMMAND=/sbin/service chronyd status</P> <P>USER =root host =localhost source =tcp:514 sourcetype =tcp-raw </P> <P>i want to change my log to a other log where splunker will be SUDO_ORIGIN=splunker because splunker is the user who initiated the sudo command.</P> <P>so i want something like that:</P> <P>&lt;85&gt;Jun 9 14:00:58 ccstcasi sudo[10277]: <STRONG>SUDO_ORIGIN=splunker</STRONG> : TTY=pts/0 ; PWD=/home/splunker ; USER=root ; COMMAND=/sbin/service chronyd status</P> <P>USER =root host =localhost source =tcp:514 sourcetype =tcp-raw SUDO_ORIGIN:splunker or other user</P> <P>because i want to visualize a histogram with: count of sudo command / time and i want to filter the sudo command with SUDO_ORIGIN that is all user who execute the sudo command. </P> <P>Thank you</P> <P><STRONG>PS: Sorry for my english</STRONG></P> Fri, 09 Jun 2017 14:25:57 GMT https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331564#M160760 amir_thales 2017-06-09T14:25:57Z https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331565#M160761 <P>hello amir,<BR /> you can use the interface filed extractor:<BR /> <A href="https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX">https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX</A><BR /> also, looks like some linux log, i think that the Add-on for linux has this one prebuilt<BR /> try download and use here:<BR /> <A href="https://splunkbase.splunk.com/app/833/">https://splunkbase.splunk.com/app/833/</A><BR /> follow the docs on the app <BR /> hope it helps</P> Fri, 09 Jun 2017 16:36:32 GMT https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331565#M160761 adonio 2017-06-09T16:36:32Z https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331566#M160762 <P>You can create a field extraction (using a regex, or the field extractor mentioned by Adonio above). And name the field you created, to be SUDO_ORIGIN.</P> <P>Assuming that the event always has something like "sudo[somenumber]: sudo_username "<BR /> example of inline regex : </P> <PRE><CODE>mysearch_for_sudo_events | rex "sudo\[\d+\]: (?&lt;SUDO_ORIGIN&gt;\w+) :" | table _time SUDO_ORIGIN _raw </CODE></PRE> Fri, 09 Jun 2017 17:10:17 GMT https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331566#M160762 yannK 2017-06-09T17:10:17Z https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331567#M160763 <P>Sorry for the response time, being an alternate student I could not answer you. </P> <P>Thank you yannK and adonio for your answer, it helped me a lot</P> <P>Amir<BR /> Cordialy</P> Wed, 14 Jun 2017 09:22:23 GMT https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331567#M160763 amir_thales 2017-06-14T09:22:23Z https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331568#M160764 <P>Hello yannK and Adonio,</P> <P>thanks for your answers which helped me a lot.</P> <P>Amir</P> <P>Cordialy</P> Wed, 14 Jun 2017 10:36:35 GMT https://community.splunk.com/t5/Splunk-Search/add-a-word-string-as-a-field/m-p/331568#M160764 amir_thales 2017-06-14T10:36:35Z