I've looked around but haven't found the exact same issue I am having. I need to figure out how to fix the following:
Feb 10 07:29:35 authpriv info devbox.domain.com sshd[16296]: pam_unix(sshd:session): session opened for user DOMAIN+jsmith by (uid=0)
host = splunk.domain.com
punct = __::___.._[]:__(:):_____+__(=)
source = /var/log/archive/incoming/2016/02/10/devbox.domain.com/sshd.log
sourcetype = %authlog%
Normally it would just be user jsmith but since I joined it to the windows domain it added the domain before the user. All of the results just show up as DOMAIN. Is there a way with regex or something else to get it to show up as DOMAIN+jsmith or just jsmith?
↧