Hi,
From the below events i need to extract the field called "Event_Name" which is associated with "BeyondTrust_PBUL_ACCEPT_Event" from below 3 events
Desired output: Event_Name(filed name)=BeyondTrust_PBUL_ACCEPT_Event(field value)
Example Event 1:
<86>Dec 22 ddppvc0729 pbmerd2.1.0-12: BeyondTrust_PBUL_ACCEPT_Event: Time_Zone='IST'; Request_Date='2021/1/27'; Request_Time='2:2:51'; Request_End_Date='2021/1/27'; Request_End_Time='22:1:51';Submit_User='spnt'; Submit_Host='wcpl.com';
Example Event 2:
<83>Dec 22 ddpc0729 pbmerd21.1.0-12: [2658] 5105.1 failed to get ACK packet during a CMD_SWAPTTY_ONE_LINE sequence - read failure in receive acknowledgement
Example Event 3:
<38>Dec 22 ddppvc0729 root[25132]: [ID 7011 auth.info] CEF:0|BeyondTrust|PowerBroker|1.1.0-12|7011|PBEvent=Accept|4|act=Accept end=Dec 1 2021 1:11:40 shost=dc8 dvchost=dc8 suser=t8adsfk duser=root filePath=/opt/ cs1Label=Ticket cs1=Not_Applicable deviceExternalId=0a2adfersds9 fname=./SSB_Refresh_Pbrun_Local_Policy_Files.sh
What i tried from regex extraction:
Input: (?<Event_Name>\w{10}[a-zA-Z]+_[a-zA-Z]+_[a-zA-Z]+_[a-zA-Z]+)
Output: matching 2 places from above 3 events
Please clarify which part of each event is the Event_Name, especially Example 2.
Are the sample events from the same sourcetype? They look very different, which means they can have different field extractions.