Extract username with comma

I have the following syslog

Jan 30 14:34:05 10.234.150.21 Jan 30 13:34:05 DEN-COLO-VBN-CTRL-01 stm[10699]: <305007> <info> <den-colo-vbn-ctrl-01 10.234.150.21=""> AP Smith, John replacement bootstrapped

I am trying to extract "John Smith" as the username. The closest I have gotten so far:

(?:[^-n]*-){8}d+s+d+.d+.d+.d+>s+w+s+(?P<fieldname2>[^,]+),(?P<fieldname1>s+w+)

which extracts "John" as the First Name and "Smith" as the last name. Can I concatenate the two somehow? Also having the username as "Smith, John" would work as well.

Any thoughts?

asked 30 Jan '12, 12:42

loorimar
21●1
accept rate: 0%

One Answer:

oldest newest most voted

You can use an eval command to create a new field:

| eval fullname= fieldname1 . " " . fieldname2

That'll create a field called fullname that's = "John Smith"

Brian

link

answered 30 Jan '12, 13:14

Brian Osburn
191●1●2●21
accept rate: 23%

Thanks Brian,

That's very cool. Ideally I would like to have this extracted into a single field at search time so I don't have to eval it as part of the search.

(30 Jan '12, 13:19) loorimar

Post your answer

toggle preview

Follow this question

Email:

RSS:

Answers

Answers + Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "Title")
image?![alt text](/path/img.jpg "Title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Tags:

field ×264
extract ×52
username ×15
comma ×8

Asked: 30 Jan '12, 12:42

Seen: 438 times

Last updated: 30 Jan '12, 13:19

Extract username with comma

Follow this question

Splunk Resources

Related questions