topic Extracting data from specific field in Splunk Search

Extracting data from specific field

abctx007 — Sat, 21 Jun 2014 06:02:11 GMT

hi i tried playing with rex and regex but couldn't figure exact expression. my command field is in 3 different scenarios

1) COMMAND=/usr/local/bin/ssh -q host1
2) COMMAND=/usr/local/bin/ssh host1
3) COMMAND=/usr/local/bin/ssh -q host1 df -h

i want a search to give my results only in (1) and (2). we have jump server where many users jump via sudo to other users and i want the list of users only who jumped and not who executed command via for loop in scenario (3).
source="/var/raw/logs/sudo.log" host=jumpserver ??????????????????

1) COMMAND=/usr/local/bin/ssh mex-01
2) COMMAND=/usr/local/bin/ssh -q mex-02
3) COMMAND=/usr/local/bin/ssh -q mex-03 df -h /apps

from these above commands i want to extract only (1) and (2) and ignore (3)

Re: Extracting data from specific field

lguinn2 — Sat, 21 Jun 2014 18:24:58 GMT

You don't have to get a single perfect regular expression...

Here is one alternative

source="/var/raw/logs/sudo.log" host=jumpserver
| where NOT match(COMMAND,"/usr/local/bin/ssh -q \S+ df -h")
| where match(COMMAND,"/usr/local/bin/ssh -q \S+") OR  match(COMMAND,"/usr/local/bin/ssh \S+")

You might not need both of the where commands, but I thought that it was a nice illustration.

Re: Extracting data from specific field

abctx007 — Sun, 22 Jun 2014 17:48:22 GMT

Tks for your help Iguinn but in this case didn't help me, i should have been more clear in my Q. in case (3) command doesn't always be "df -h" it will one of many thousands. i want to ignore "/usr/local/bin/ssh -q host1 *" pretty much anything after host1. and by the way hostname(host1) also changes all the time.

Re: Extracting data from specific field

somesoni2 — Sun, 22 Jun 2014 19:19:54 GMT

Try this

source="/var/raw/logs/sudo.log" host=jumpserver | regex COMMAND="/usr/local/bin/ssh (-q \w+|\w+)*$"

Re: Extracting data from specific field

abctx007 — Mon, 23 Jun 2014 17:54:24 GMT

tks for suggestion but this didn't help. i want to list o/p whose executed "/usr/local/bin/ssh hostname" and "/usr/local/bin/ssh -q hostname" but not "/usr/local/bin/ssh -q hostname *"

Re: Extracting data from specific field

grijhwani — Mon, 23 Jun 2014 18:19:22 GMT

How about a sample of actual log data (names/commands obfuscated if you like), and then a representation (not a description) of the results you are seeking to generate.

Re: Extracting data from specific field

lguinn2 — Tue, 24 Jun 2014 03:58:29 GMT

Try this:

source="/var/raw/logs/sudo.log" host=jumpserver
| where match(COMMAND,"/usr/local/bin/ssh -q \S+\s*$") OR  match(COMMAND,"/usr/local/bin/ssh \S+\s*$")

This will only match COMMAND fields that have nothing (or only whitespace) after the host name.

Re: Extracting data from specific field

abctx007 — Tue, 24 Jun 2014 20:00:37 GMT

Tk you very much lguinn that is what i was looking for.appreciate your help.