I have the regex query as below
sourcetype=syslog
| rex field=_raw "(?rshd[^:]: .+) as (?[^\s:]+)"
| rex field=_raw "(?ssh-server-g3.)Username: (?[^\s,]+)"
| rex field=_raw "(sudo|dzdo).* (?[^\s]+) :.*USER=(?\S+).*COMMAND=(?.+)"
| table activity username target_account
And the sample results are as follows :-
activity username target-account
/bin/su - oracle ABC root
Now, how can I break the activity into two different fields like command and arguments as shown below
activity username target-account command argument
/bin/su - oracle ABC root su - oracle
Please format the code using "101010" button on the editor OR by selecting code and pressing Ctrl+K. Also, a sample event would be helpful here. With this truncated rex, I would suggest something like this (for last rex, rest would remain same)
....
| rex field=_raw "(sudo|dzdo).* (?[^\s]+) :.*USER=(?\S+).*COMMAND=(?<activity>(?<command>\S+)\s+(?<argument>.+)"
| table activity username target_account command argument
Thanks for your response @somesoni2 . I have reported the question in the below link with the details. Please take a look when you get a chance.
https://answers.splunk.com/answers/747796/how-to-use-field-transformations-in-a-splunk-query.html