Regex for filed extraction

darshan_singh01 — Fri, 14 Feb 2014 04:12:41 GMT

Feb 13 22:01:25 XXXINFQST03 sshd[9161]: Accepted password for admin from

Above is the message I am getting from Linux logs from which I want to create fileds like

Time:Feb 13 22:01:25 & User=admin

Can anyone provide me the regex for this or any other way ??

Help apprecieted ..

Re: Regex for filed extraction

dshpritz — Fri, 14 Feb 2014 05:27:41 GMT

If your sourcetype is syslog, and you have Splunk_TA_nix installed, you should get the user information that you want. If you really want it all in one field, you could try this in your props.conf:

[mysourcetype]
REPORT-myfield = myfield

Then in your transforms.conf

[myfield]
REGEX = (\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}).*Accepted\spassword\sfor\s(\S+)
FORMAT = myfield::Time:$1 & User=$2

Not positive about the spaces in the FORMAT section, but it's a start.

HTH

Dave

topic Re: Regex for filed extraction in Splunk Search

Regex for filed extraction

Re: Regex for filed extraction