Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Generating a table without fields

snobyink
Explorer
‎02-13-2024 03:08 PM

Greetings!

We are trying to generate a table after we got output from a Splunk query. We are trying pipe (|) this to our query but do not know how to do this. Can someone assist? 

This is the output after we ran our Splunk query,

Feb 13 20:36:21 hostname1 sshd[100607]: pam_unix(sshd:session): session opened for user user123 by (uid=0)

Feb 13 20:36:23 hostname2 sshd[100608]: pam_unix(sshd:session): session opened for user user345 by (uid=0)

We want to capture the table in this form,

Time                                   Hosts                       Users

Feb 13 20:36:21       hostname1                user123

Feb 13 20:36:23       hostname2                user345

And so on..

How do we do this. Thank you in advance!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2024 07:11 AM

Hi @snobyink,

in this case, please try this regex instead the previus one:

^\w+\s+\d+\s+\d+:\d+:\d+\s+(?<host>\w+).*user\s(?<user>\w+)+

that you can test at https://regex101.com/r/bV4B9h/1

Ciao.

Giuseppe

View solution in original post

Reply
Solved! Jump to solution

snobyink
Explorer
‎02-14-2024 07:41 AM

Thank you for your help!

0 Karma
Reply
Solved! Jump to solution

snobyink
Explorer
‎02-14-2024 07:07 AM

Thanks! Unfortunately the hostname is not extracted as a field. How do we extract host as well from the output? In the meantime we are looking to see if we can install this Add On if we can get past the red tape 🙂

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎02-14-2024 07:11 AM

Hi @snobyink,

in this case, please try this regex instead the previus one:

^\w+\s+\d+\s+\d+:\d+:\d+\s+(?<host>\w+).*user\s(?<user>\w+)+

that you can test at https://regex101.com/r/bV4B9h/1

Ciao.

Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎02-13-2024 11:32 PM

Hi @snobyink,

at first, these seem to be Linux logs, so using the Splunk_TA_nix (https://splunkbase.splunk.com/app/833), you should have all the fields extracted.

Anyway, you can use a regex to extract the use field (the host should be already extracted:

index=your_index
| rex "for user (?<user>\w+)"
| table _time host user

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...