topic Re: How do I skip a word extracted by the regular expression generated using the Field Extractor? in Splunk Search

How do I skip a word extracted by the regular expression generated using the Field Extractor?

danielgp89 — Sat, 28 Jan 2017 01:18:52 GMT

I'm so desperate! how do I skip a value from the regular expressions? For example in these lines.

I don't want to extract the word "invalid"! I only want to extract the users (root, apache, mail and games), but when I apply the regular expression, it brings me invalid. How do I skip that word?

Thu Oct 31 2016 00:15:06 mailsv1 sshd[5276]: Failed password for invalid user appserver from xxx.x.xx.xx port 3351 ssh2
Thu Oct 31 2016 00:15:06 mailsv1 sshd[1039]: Failed password for root from xxx.x.xx.xx port 3768 ssh2
Thu Oct 31 2016 00:15:06 mailsv1 sshd[1165]: Failed password for apache from xxx.x.xx.xx port 4604 ssh2
Thu Oct 31 2016 00:15:06 mailsv1 sshd[4998]: Failed password for mail from xxx.x.xx.xx port 1552 ssh2
Thu Oct 31 2016 00:15:06 mailsv1 sshd[1930]: Failed password for games from xxx.x.xx.xx port 3007 ssh2

Re: How do I skip a word extracted by the regular expression generated using the Field Extractor?

skoelpin — Sat, 28 Jan 2017 04:08:35 GMT

Try this, the fieldname will be UserName

for\s(?<UserName>\w+)\sfrom

Re: How do I skip a word extracted by the regular expression generated using the Field Extractor?

adauria_splunk — Sat, 28 Jan 2017 15:14:31 GMT

You need to make the word invalid optional. maybe this:

for\s(invalid )?(?<UserName>\w+)\sfrom

Re: How do I skip a word extracted by the regular expression generated using the Field Extractor?

gokadroid — Sun, 29 Jan 2017 01:20:56 GMT

If each line is an individual event and your current extraction is working fine for all other users, then why don't you try to cut the "not required bit" at the source query by using NOT "for invalid" in the search string so that you don't get these results at all.

Re: How do I skip a word extracted by the regular expression generated using the Field Extractor?

danielgp89 — Mon, 30 Jan 2017 19:52:16 GMT

Hi gokadroid!

I tried that. But when I cut all the logs and I use in the event action the field extractor it works fine, but at the moment I do a search with new field that I created, it also bring the word invalid and another ones that I don't want.

Re: How do I skip a word extracted by the regular expression generated using the Field Extractor?

danielgp89 — Mon, 30 Jan 2017 19:52:59 GMT

Thanks Adauria!

This solve my problem.

Best Regards.

Re: How do I skip a word extracted by the regular expression generated using the Field Extractor?

danielgp89 — Mon, 30 Jan 2017 19:53:37 GMT

Thanks skoelpin

This Solve my problem.

Best Regards!