topic Re: REGEX help on field extraction? in Splunk Search

REGEX help on field extraction?

remy06 — Wed, 06 Oct 2010 14:31:07 GMT

Hi,

I am trying to extract fields from events and here are the sample events:

AUD_Proc user1 OK Thu Sep 16 15:09:45 2010 audit
pid: 0 cmd: 4

TCB_Exec user1 OK Thu Sep 16 15:09:45 2010 audit
filename: /usr/sbin/audit

CRON_Start root OK Tue Oct 05 23:40:00 2010 cron

S_PASSWD_READ root OK Tue Oct 05 23:40:00 2010 java

I am tring to extract the "login" field (user1,root) but the generated pattern doesn't match all values.

For example,if i selected user1 and root as the example values,the pattern generated only captures event for TCB_Exec,and not other events like AUD_Proc,CRON_Start & S_PASSWD_READ.

Re: REGEX help on field extraction?

Genti — Wed, 06 Oct 2010 14:43:48 GMT

i think something like this should work for you:

REGEX = ^\w+ (\w+)
Yourfield  = $1

If you can send a bigger log file i can be a bit more sure, but using a regex tester this works ok for me.

Hope this helps

Re: REGEX help on field extraction?

gkanapathy — Wed, 06 Oct 2010 15:10:26 GMT

I would use:

REGEX = ^\S+\s+(?<fieldname>\S+)

Re: REGEX help on field extraction?

remy06 — Wed, 06 Oct 2010 16:14:09 GMT

thanks for the prompt reply.

Do I specify the commands you've provided in props.conf?

Here is a list of examples where it contains 5 columns:
(eg. event-FS_CHdir, login-user3, status-OK, time, command - tsm,su)etc

I'm trying to extract these fields for the 5 columns.

FS_Chdir user3 OK Tue Oct 26 11:10:49 2004 tsm
change current directory to: /home/user3

S_ENVIRON_WRITE user3 FAIL Tue Oct 26 11:10:49 2004 tsm
audit object write event detected /etc/security/environ

S_PASSWD_READ user3 OK Tue Oct 26 11:10:50 2004 su
audit object read event detected /etc/security/passwd

USER_SU user3 OK Tue Oct 26 11:10:53 2004 su
root

AUD_Proc user1 OK Thu Sep 16 15:09:45 2010 audit
pid: 0 cmd: 4

TCB_Exec user1 OK Thu Sep 16 15:09:45 2010 audit
filename: /usr/sbin/audit

CRON_Start root OK Tue Oct 05 23:40:00 2010 cron

Re: REGEX help on field extraction?

Genti — Wed, 06 Oct 2010 23:33:57 GMT

yes, something like:

[yoursourcetype]
EXTRACT-loginfield = ^\S+\s+(?<login>\S+)
EXTRACT-Status = ^\S+\s+\S+\s+(?<status>\S+)

..etc..

props.conf.spec for more info

Re: REGEX help on field extraction?

remy06 — Thu, 07 Oct 2010 11:39:10 GMT

I see..thanks it works fine.