All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Fetch data based on the words in the event

khojas02
Engager
‎04-02-2020 12:17 PM

I have 3 types of events as below:

Apr 2 11:35:28 vg1 : %ASA-4-113019: Group = EMPLOYEE, Username = karrc03, IP = ..., Session disconnected. Session Type: SSL, Duration: 2h:15m:12s, Bytes xmt: 59389646, Bytes rcv: 14229526, Reason: Idle Timeout
Apr 2 11:35:23 vg1 : %ASA-4-722051: Group User IP <...> IPv4 Address <...> IPv6 address <::> assigned to session
Apr 2 11:03:47 vg2 : %ASA-4-113005: AAA user authentication Rejected : reason = Invalid password : server = ... : user = SHAFED61 : user IP = ...

Now, I would like to fetch the events based on the words: Session disconnected, assigned to session, and Rejected in the separate column "EventType" by user

Your help would be appreciated. Thanks in advance

Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-02-2020 12:33 PM

Fetching data based on the words in the event is as simple as specifying those words in the base search.

index=foo ("Session disconnected" OR "assigned to session" OR "Rejected")

If you are successfully extracting fields then you can look for those strings in a specific field by adding the field name to the query.

index=foo (EventType="Session disconnected" OR EventType="assigned to session" OR EventType="Rejected")

Fetching by user, however, is a concept foreign to me. Do you mean you want to group the events by user? If so, this should do it.

index=foo (EventType="Session disconnected" OR EventType="assigned to session" OR EventType="Rejected")
| stats values(*) as * by user

If you are not successfully extracting fields then you will need to do so for the second or third searches to work. For that, you should install the appropriate Cisco app on your indexers and search heads.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

khojas02
Engager
‎04-02-2020 01:03 PM

Thank you for your response.

These events are not fetched as extracted fields. Those are just words present in the events so for ease of use I would like to give them field name "EventType". Can we fetch those values (Session disconnected, assigned to session, Rejected ) using regular expression and store it in the new field EventType?

If so, can you please help me with regular expression?

Also, I am not able to change anything with Cisco app. That is out of my authorization. Thanks again!!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-03-2020 05:44 AM

Perhaps you could work with someone who has authorization to install the appropriate Cisco app.
If that's not possible, you can still download the app to your workstation and examine it to see the right way to extract fields from the events.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

kartikaykv1
Explorer
‎04-02-2020 03:19 PM

If you could post the actual event then it would be much helpful to create a Search for that.

0 Karma
Reply

khojas02
Engager
‎04-02-2020 03:22 PM

The events are in the question. I am just hiding the IPs due to privacy issues.

Hope I understood your comment correctly!!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...