splunk

• Username from linux secure:
  for(?:\suser)?(?:\sinvalid user)?\s(?<user>\S+)
• NOT vs !=
  if the field does not exist in a row. then row will not be included for "!=", however NOT search will include rows which do not have that field.