Hi all,

I'm trying to do a field extraction of database name (let's call the field "DBname") from logs that come in 2 formats:

Jan 19 15:58:06 192.168.1.2 Jan 19 15:58:06 Message forwarded from Database1: Oracle Audit blablablabla
Jan 20 06:36:17 192.168.1.3 Jan 20 06:36:17 Database2 journal: Oracle Audit blablablablabla
Jan 21 06:36:17 192.168.1.4 Jan 21 06:36:17 Database_10 journal: Oracle Audit blablablablabla
Jan 22 15:58:06 192.168.1.5 Jan 22 15:58:06 Message forwarded from Database4: Oracle Audit blablablabla
Jan 23 15:58:06 192.168.1.6 Jan 23 15:58:06 Message forwarded from prmds1: Oracle Audit blablablabla
Jan 24 15:58:06 192.168.1.7 Jan 24 15:58:06 Message forwarded from Database_15: Oracle Audit blablablabla
Jan 26 15:58:06 192.168.1.9 Jan 26 15:58:06 Message forwarded from prmds2: Oracle Audit blablablabla
Jan 27 15:58:06 192.168.1.8 Jan 27 15:58:06 fafa32 journal: Oracle Audit blablablablabla

So, the "DBname" field value comes after "Message forwarded from" or before "journal". Splunk fails with the regex and unfortunately so do I. I found it's an issue that the events are so similarly formatted in this case 😄 My question is if I am missing something with the regex or I should approach it in a completely different manner. 

Thank you for the help!