how do I extract the fourth field (NAME) from the following? I am very new to Splunk and regular expression.
Failed user login NAME IP address on device
Appreciate your guidance
Try this
Your query to return events
| rex field=_raw "(?<field1>[\S]+)\s(?<field2>[\S]+)\s(?<field3>[\S]+)\s(?<myName>[\S]+)\s.*"
|table myName
OR try
Your query to return events
| rex "Failed\suser\slogin\s(?<myName>[\S]+)\s.*"
| table myName
No spaces in the NAME field.
The rex "...\ below resolved the issue
Thank you
Does the NAME field every contain spaces? If so, that makes this a bit harder unless you wrap the NAME in quotes.
Try this
Your query to return events
| rex field=_raw "(?<field1>[\S]+)\s(?<field2>[\S]+)\s(?<field3>[\S]+)\s(?<myName>[\S]+)\s.*"
|table myName
OR try
Your query to return events
| rex "Failed\suser\slogin\s(?<myName>[\S]+)\s.*"
| table myName