topic Regex for multiline in Splunk Search

Regex for multiline

robettinger — Mon, 25 Sep 2017 12:10:07 GMT

Hi,

I have the following event:

017/09/25 10:58:57 Client logging in as robertE on DB1...
Connect to Oracle failed: 
ORA-01017: invalid username/password; logon denied
ERROR:User login failed!

I am ok to extract the username via regex:

... | rex field=_raw "Client logging in as "(?<usernameFail>\w+)

but how do I also match the "failed" word in the 2nd line in order to differentiate successful & failed logons?

Thanks! 🙂

Re: Regex for multiline

HiroshiSatoh — Mon, 25 Sep 2017 12:22:31 GMT

Try this!

| rex field=_raw ".*Client logging in as (?<usernameFail>\w+) on DB1.*login failed!$"

Re: Regex for multiline

robettinger — Mon, 25 Sep 2017 12:39:00 GMT

Nope. Dunno why but the original event has the "failed" string in the second line. Basically I am trying to create a field called AccessFail with the username when the regex matches AND the words "ERROR" or "failed" are present and another field called AccessOK when the regex matches but the words are not present. Does this make sense?

Re: Regex for multiline

gcusello — Mon, 25 Sep 2017 12:51:58 GMT

Hi robettinger
try this

| rex "(?ms)Client logging in as (?<user_failed_login>[^ ]*).*failed"

you can test it at https://regex101.com/r/qWg6Tz/1
Bye.
Giuseppe

Re: Regex for multiline

robettinger — Mon, 25 Sep 2017 13:04:21 GMT

Hi. That works, cool! What about the second use case, when the regex matches but the words "ERROR" or "failed" are not in the text??

Thank you!!!!

Re: Regex for multiline

HiroshiSatoh — Mon, 25 Sep 2017 13:09:36 GMT

This is only acquired on failure.
Please show me the log at the time of success.

Re: Regex for multiline

gcusello — Mon, 25 Sep 2017 14:13:43 GMT

Hi robettinger
regex is all, also failed or ERROR, so if you haven't failed or ERROR field isn't extracted.

Modify the regex to manage also "ERROR" in addition to "failed"

(?ms)Client logging in as (?<user_failed_login>[^ ]*).*(failed|ERROR)

See updated example https://regex101.com/r/qWg6Tz/2

Bye.
Giuseppe

Re: Regex for multiline

robettinger — Tue, 26 Sep 2017 07:50:51 GMT

Hi Giuseppe,

that's what I would like: The Events:

2017/09/26 09:44:05 Client logging in as robertE on DB1...
2017/09/26 09:45:54 Client logging in as  on DB1...
ERROR:Missing login information
2017/09/26 08:58:02 Client logging in as jamesH on DB1...
Connect to Oracle failed: 
ORA-01017: invalid username/password; logon denied

These 3 events should match these 2 fields:

usernameOK: robertE
usernameFail: jamesH and ""

I can manage the usernameFail regex:

rex "(?ms)Client logging in as (?<usernameFail>[^ ]*).*(?i)(ERROR |failed|ERROR:)"

but I am struggling to get the usernameOK because if I use:

rex "(?ms)Client logging in as (?<usernameFail>[^ ]*).*

it will also match the failed ones ....

The question is how can I match only the events where there is no ERROR or FAIL in the body?

Re: Regex for multiline

inventsekar — Tue, 26 Sep 2017 08:29:02 GMT

but I am struggling to get the usernameOK because if I use:

     rex "(?ms)Client logging in as (?<usernameFail>[^ ]*).*

it will also match the failed ones ....

The question is how can I match only the events where there is no ERROR or FAIL in the body?

Please check -

rex "(?ms)Client logging in as (?<usernameOK>[^ ]*).*(\d+)"

Re: Regex for multiline

gcusello — Tue, 26 Sep 2017 08:38:53 GMT

Hi
for user_login use

| rex "Client logging in as (?<user_login>[^ ]*)(?!.*failed)"

test it at https://regex101.com/r/mKCWJs/1

Bye.
Giuseppe