The following is one of the sample raw logs.
01/14/19 2:05:25.000 PM
2019-01-14 19:05:24.915 INFO 1234 --- [abcd-2] AUDIT : Tim Tom (timtom@abc.com), SESSION_DESTROYED
2019-01-14 19:05:25.915 INFO 5678 --- [efgh-21] AUDIT : Jerry Tom (jerrytom@abc.com), SESSION_DESTROYED
2019-01-14 19:05:25.915 INFO 9101 --- [ijkl-32] AUDIT : ben ten (ben10@abc.com), SESSION_DESTROYED
2019-01-14 19:05:25.915 INFO 1213 --- [mnop-62] AUDIT : Jhonney S Depp (jhonydepp@abc.com), SESSION_DESTROYED
Now, how what could be regex's for creating fields for username, email as below
Username Email
Tim Tom timtom@abc.com
Try this:
... | rex "[^\]]+][^:]+:\s*(?<Username>[^(,]+(?<!\s))\s*\((?<Email>[^\)]+)"
Try this (Inline in search, same regex can be used for saved field extraction)
your base search | rex "AUDIT\s+\:\s+(?<Username>[^\(]+)\((?<Email>[^\)]+)"