I have logs that do not use the default name value format for the user field. When I add a field extractor for my user format and name it "user", the default format of "user=" no longer is included in the search. How to I add to the existing field rule rather than replace it?
Try adding a different field name instead of user for field extraction and then use a field alias to link both
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Addaliasestofields
You can do it like this :
[YourSourcetypeHere]
REPORT-SomeArbitraryUniqueStringHere = UserFieldMultipleFormats
[UserFieldMultipleFormats]
REGEX = (?:session (?:closed|opened) for|disconnected by|[Ii]nvalid|about|check pass;) user (\w+)
FORMAT = user::$1
Try adding a different field name instead of user for field extraction and then use a field alias to link both
http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Addaliasestofields
I have a number of formats for user. How can I create a field extractor that will cover all of them:
session closed for user XXXX
session opened for user XXXX
disconnected by user XXXX
invalid user XXXX
about user XXXX
check pass; user unknown
Invalid user XXXX
user=XXXX (default built into linux_secure)