I tried this working
| rex "COMMAND=\/[a-z]*\/[a-z]*\s-\s(?<service_account>[^ ]+)"
Hi Thanks I also want to extract another field from the below data "webadmin" as service_Account COMMAND=/bin/su - webadminDec 2 08:46:55 server1 sudo[3461907]: ib12345 : TTY=pts/0 ; PWD=/home/ib12345 ; USER=root ; COMMAND=/bin/su - webadmin
Assuming your spacing is as shown in your example:
| rex "sudo\s*?:\s(?<upi>\S+)\s"
