I am trying to extract the username into a field that I can use and have so far been unsuccessful. I am doing this based off the log entries below. Mar 4 17:20:43 hostname sudo: [ID 702911 local2.notice] username : TTY=pts/3 ; PWD=/export/home/username ; USER=root ; COMMAND=/usr/bin/su - Mar 7 11:44:47 hostname sudo: [ID 702911 local2.notice] user : TTY=pts/5 ; PWD=/export/home/user ; USER=root ; COMMAND=/usr/bin/su - I have tried this search and regex but have been unsuccessful. If the username is a different length it won't pick it up. Also, it doesn't seem to pick up all occurrences of the same name either. sudo "COMMAND=/usr/bin/su" | rex "(?i)\\.notice\\] (?P<FIELDNAME>\\w+\\s+:)" | fields FIELDNAME | dedup FIELDNAME ... View more

I am currently creating a new instance on a new server of Splunk. I would like to migrate all of the created items such as views, dashboards, searches, users, etc over. What is the best way to handle this? ... View more