Thanks all! All of your answers were helpful and let me accomplish what I was looking for.

Is there an efficient way to extract the two values to one field ? Lets say User(name, last) ? Or should the fields be merged after being extracted?

Well, sort of but you get the yucky stuff in the middle.

DC=\w+\/(?<name>[^\\]+\\, \w+)

That would give you First\, Last which is ... probably not quite what you desire. You can't split a single field up like what you want... no, you can't combine two individual things into one field? Either way, I'm not aware of a way to do that, so just combine 'em at the end.

 ... | rex "DC=\w+\/(?<name>[^\\]+)\\, (?<last>\w+)" | eval FullName=name." ".last | ...

There's a zillion ways to accomplish that, but if I didn't fat finger it there's one. It's fragile, though - if you have an event without a first name, well, you'll not have a FullName either. 🙂 More help can be given if required, but if it works for your needs then it's probably good enough.

If this or the other answer resolves your needs (you can apply my mini-extra-solution to either!), could you please mark one as the answer to help everyone else who stumbles across this answer later?

Hi Rich,

I was able to understand the regex except the point where we added [^\] after name capturing. The other character '\' after First could be understood to be escaped properly but why [^\]

Thanks !

I read the '\' as a delimiter rather than an escaped comma. Try this regex to get the entire name in one field.

... | rex "DC=\w+\/(?<name>[\w, \\]+)" | ...

This will probably leave the escaped comma in the name field. I've been unsuccessful removing it.

that works but it also captures "\" after name and before the comma so it look like "name\, last" any way of removing "\" ?

Like I said in my last comment, I've been unsuccessful at removing the '\'. I just tried something else that worked. Add this after the above rex command.

| rex field=name mode=sed "s/\\\//g" | ...