topic Re: Identify field command with regex in Splunk Search

Identify field command with regex

dfigurello — Wed, 15 Jan 2014 13:29:29 GMT

Hey Splunkers,

Could you help me about identify a field. I don't have experience with regex. In my case I have firewalls log, for example:

command 'top '
command 'delete user teste '
command 'edit system login '
command 'commit '
command 'set login user teste uid 2006 class super-user authentication plain-text-password '

I want to indentify the field "command"

command = top
command = delete user teste
command = edit system login
command = commit

I tried with IFX but not works. Anyone have any idea about that?

Tks Splunkers.

Re: Identify field command with regex

gfreitas — Wed, 15 Jan 2014 13:43:02 GMT

I think you should try this: \'(.*?)\'

It worked for me! 😉

Re: Identify field command with regex

dfigurello — Mon, 28 Sep 2020 15:39:52 GMT

Follow the logs:

Jan 15 11:43:33 10.30.0.43 Jan 15 11:27:08 SRX.com.br mgd[68527]: UI_CMDLINE_READ_LINE: User 'tbrazil', command 'exit '
Jan 15 11:42:23 10.30.0.43 Jan 15 11:25:58 SRX.com.br mgd[68527]: UI_CMDLINE_READ_LINE: User 'tbrazil', command 'commit and-quit '
Jan 15 11:41:55 10.30.0.43 Jan 15 11:25:30 SRX.com.br mgd[68527]: UI_CMDLINE_READ_LINE: User 'tbrazil', command 'commit check '
Jan 15 11:41:49 10.30.0.43 Jan 15 11:25:24 SRX.com.br mgd[68527]: UI_CMDLINE_READ_LINE: User 'tbrazil', command 'set interfaces fe-0/0/7 description multiplan '

Tks.

Re: Identify field command with regex

theouhuios — Wed, 15 Jan 2014 15:51:39 GMT

<yoursearch>|rex field=_raw "command\s+\'(?<command>.*)\'$"

Try the above rex. Is there a space after command and ' ? If not then this should work

 <yoursearch>|rex field=_raw "command\'(?<command>.*)\'$"

Re: Identify field command with regex

dfigurello — Wed, 15 Jan 2014 16:35:43 GMT

Worked! Tks theouhuios!