Regex for field extraction

splunkn — Thu, 22 Jan 2015 14:43:25 GMT

I am having a source file with the two below mentioned format. However I need to extract a same field but whose positions differ.
Could anyone help me with appropriate regex?

Jan 21 19:38:53 hostname sudo: pam_unix(sudo:session): session opened for user abc by xyz(uid=0)

Jan 21 19:38:38 hostname sshd[000]: Accepted password for xyz from port 123

Here I need to extract the user "xyz" . Both events belongs to same source. How could write the regex to match the both?

OR do we need to go with Field alias?

Thanks in advance

Re: Regex for field extraction

pradeepkumarg — Thu, 22 Jan 2015 15:33:59 GMT

One way is to extract both differently and then use coalesce function to grab the one that is not NULL

... |  rex "(?i)session opened for user \w+ by (?P<USER1>.\w+)\W"  |  rex "(?i)Accepted password for(?P<USER2>.\w+) from" 
    | eval USER = coalesce(USER1,USER2)

topic Regex for field extraction in Splunk Search

Regex for field extraction

Re: Regex for field extraction