I'm failing miserably at this. I'm hoping someone can help me out so I can build my knowledge for future extractions I'm getting the following record from an application, via syslog and need to perform field extractions: Jan 30 08:50:14 8.8.8.8 Smith, Jim ([email protected])|Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Domain.local\Users )'|Success Where: Jan 30 08:50:14 (DateTime) 8.8.8.8 (src_ip) Smith, Jim (src_user) [email protected] (src_userupn) Run PowerShell script 'Add Record to DB' for 'Smith, Jim (Canada.CompassGroup.Corp\Users - Compass)' (message) Success (Result) Result is optional and may not be in each record, depending on what the message is. Any regex gurus out there that can help me out? ... View more

Hello everyone. I'm trying to get a time chart of unique users from my IIS logs. Our apps are both authenticated and unauthenticated, so a unique user is both a unique username and a unique IP with no username. Its been a long day and I can't figure it out, but here's what I'm working with so far: earliest=-7d@d latest=@d | timechart span=1d dc(cs_username) Here's some sample data to help visualize: cs_username,c_ip User1,1.1.1.1 User2,2.2.2.2 User3,1.1.1.1 ,3.1.1.1 ,4.4.4.4 ,1.1.1.1 NOTE: As pictured above, there could be duplicate IPs for users, and even a user with username having the same IP as a record containing no username. Any tips? Thanks everyone! ... View more