Hello,
i'm a newbie in the world of splunk and i would know how i can add this word to make it a field
My log is :
<85>Jun 9 14:00:58 ccstcasi sudo[10277]: splunker : TTY=pts/0 ; PWD=/home/splunker ; USER=root ; COMMAND=/sbin/service chronyd status
USER =root host =localhost source =tcp:514 sourcetype =tcp-raw
i want to change my log to a other log where splunker will be SUDO_ORIGIN=splunker because splunker is the user who initiated the sudo command.
so i want something like that:
<85>Jun 9 14:00:58 ccstcasi sudo[10277]: SUDO_ORIGIN=splunker : TTY=pts/0 ; PWD=/home/splunker ; USER=root ; COMMAND=/sbin/service chronyd status
USER =root host =localhost source =tcp:514 sourcetype =tcp-raw SUDO_ORIGIN:splunker or other user
because i want to visualize a histogram with: count of sudo command / time and i want to filter the sudo command with SUDO_ORIGIN that is all user who execute the sudo command.
Thank you
PS: Sorry for my english
You can create a field extraction (using a regex, or the field extractor mentioned by Adonio above). And name the field you created, to be SUDO_ORIGIN.
Assuming that the event always has something like "sudo[somenumber]: sudo_username "
example of inline regex :
mysearch_for_sudo_events | rex "sudo\[\d+\]: (?<SUDO_ORIGIN>\w+) :"
| table _time SUDO_ORIGIN _raw
Hello yannK and Adonio,
thanks for your answers which helped me a lot.
Amir
Cordialy
Sorry for the response time, being an alternate student I could not answer you.
Thank you yannK and adonio for your answer, it helped me a lot
Amir
Cordialy
You can create a field extraction (using a regex, or the field extractor mentioned by Adonio above). And name the field you created, to be SUDO_ORIGIN.
Assuming that the event always has something like "sudo[somenumber]: sudo_username "
example of inline regex :
mysearch_for_sudo_events | rex "sudo\[\d+\]: (?<SUDO_ORIGIN>\w+) :"
| table _time SUDO_ORIGIN _raw
hello amir,
you can use the interface filed extractor:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
also, looks like some linux log, i think that the Add-on for linux has this one prebuilt
try download and use here:
https://splunkbase.splunk.com/app/833/
follow the docs on the app
hope it helps