Feb 13 22:01:25 XXXINFQST03 sshd[9161]: Accepted password for admin from
Above is the message I am getting from Linux logs from which I want to create fileds like
Time:Feb 13 22:01:25 & User=admin
Can anyone provide me the regex for this or any other way ??
Help apprecieted ..
If your sourcetype is syslog, and you have Splunk_TA_nix installed, you should get the user information that you want. If you really want it all in one field, you could try this in your props.conf:
[mysourcetype]
REPORT-myfield = myfield
Then in your transforms.conf
[myfield]
REGEX = (\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}).*Accepted\spassword\sfor\s(\S+)
FORMAT = myfield::Time:$1 & User=$2
Not positive about the spaces in the FORMAT section, but it's a start.
HTH
Dave