Hi micahkemp, it worked after removing the double quotes from the Extract command.

micahkemp, I am finding difficulties in Field Extraction (Parsing), I tried learning the Under Props.conf documentation -- Field Extraction but could not understand it, so could please let me know is there way where I can get an Video on Field Extraction (parsing). If you had come across any good video explaining on Field Extraction both Index time and Search time , please share the link with me.

thanks in advance .

I don't have links to any videos or other trainings, other than the free fundamentals course, which may not have field extraction content. You might want to post another question asking for links to free training options.

HI Dal Jeanis, can you please guide me on this, i am not sure why its not taking the complete command line information in command line field. It worked well when i executed the query in the search head.

 index=unix sourcetype=linux_secure COMMAND | rex   "sudo:.*?COMMAND=(?<COMMAND>[^;]+)(;|$)"

12/15/17
9:34:31.000 AM  
Dec 15 09:34:31 test01 sudo: solarwinds : TTY=pts/2 ; PWD=/opt/solarwinds ; USER=root ; COMMAND=/opt/solarwinds/utilities/check_file.sh -e -f /var/log/audit/audit.log

But the same regex did not work when we pushed from props.conf with below stanza added and deployed to the search head cluster members.

[linux_secure]
EXTRACT-command = "sudo:.*?COMMAND=(?[^;]+)(;|$)"

Please guide me on this.
thanks in advance.

Hi Dal Jeanis, thanks for your effort on this, Just checked all the events which are getting populated when we execute the below query and found that all the events are having SUDO. I have also tested the regex which you had posted above along with query and it works fine getting the complete command details in the command field.

   index=unix sourcetype=linux_secure COMMAND | rex   "sudo:.*?COMMAND=(?<COMMAND>[^;]+)(;|$)"

Dec 14 15:00:21 test02 sudo: solarwinds : TTY=pts/3 ; PWD=/opt/solarwinds ; USER=root ; COMMAND=/opt/solarwinds/utilities/check_file.sh -e -f /var/log/audit/audit.log

Can I push the below props.conf in the search head cluster environment.

[linux_secure]
 ## Event extractions by type
 REPORT-0authentication_for_linux_secure = ssh-login-events, ssh-session-close, ssh-disconnect, etc
 EXTRACT-command = "sudo:.*?COMMAND=(?[^;]+)(;|$)"

Kindly guide me on this.
thanks in advance.

@hemnath - remove the quotes from around the regex string. In a conf file, you don't need those quotes.

Hi Dal Jeanis, Can you please guide me on the above comment, so that I can push the changes to the search head master.

thanks in advance.

Hi Dal Jeanis, Good Morning, can you please guide me on the above comment, so that I can push the props.conf to the search head cluster via deployer.

thanks in advance.

Hi All, Can you please guide me on this, I had pushed the above props.conf file into the search head via deployer but no luck still I could see only partial command information present in the command field.

 [linux_secure]
  ## Event extractions by type
  REPORT-0authentication_for_linux_secure = ssh-login-events, ssh-session-close, ssh-disconnect, sshd_authentication_kerberos_success, sshd_authentication_refused, sshd_authentication_tried
  REPORT-account_management_for_linux_secure = useradd, userdel
  REPORT-firewall = ipfw, ipfw-stealth, ipfw-icmp, pf
  REPORT-routing = iptables
  EXTRACT-command = "sudo:.*?COMMAND=(?[^;]+)(;|$)"

When I searched using the above regex its working, I could see the entire command information in command line. But same when I added into the Props.conf for the sourcetype = linux_secure and pushed the changes in splunk it did not work, I am getting the partial command information in Command line field.

Kindly guide me how to parse entire command line information in the command field.

Hi Somesoni2, thanks for your effort on this, hey props and transforms are placed in both indexer instances/ search head and inputs.conf is placed in the remote nodes.

So I need to update it like this right in props.conf

[linux_secure]

EXTRACT-command = COMMAND\=(?.+)$

So shall I push the changes in both the indexer instance as well as search head master instances.
Kindly guide me please.

thanks in advance.

Based on configurations you've defined in props.conf and transforms.conf (Only search time field extraction related settings are present), they are not required to be deployed on Indexers. Go ahead and push it to Search Heads.

hi somesoni2, can you please guide me on this, i am not sure why its not taking the complete command line information in command line field(interesting field) . It worked well when executed the below query in the search head.

 index=unix sourcetype=linux_secure COMMAND | rex   "sudo:.*?COMMAND=(?<COMMAND>[^;]+)(;|$)"

12/15/17
9:34:31.000 AM

Dec 15 09:34:31 test01 sudo: solarwinds : TTY=pts/2 ; PWD=/opt/solarwinds ; USER=root ; COMMAND=/opt/solarwinds/utilities/check_file.sh -e -f /var/log/audit/audit.log

But the same regex did not work when pushed from props.conf with below stanza added and deployed to the search head cluster members.

 [linux_secure]

   EXTRACT-command = "sudo:.*?COMMAND=(?[^;]+)(;|$)"

"Problem"- COMMAND is currently parsed as "/opt/solarwinds/utilities/check_file.sh"

"Exact Requirement"- Want it parses as "/opt/solarwinds/utilities/check_file.sh -e -f /var/log/audit/audit.log"

Please guide me on this .... I am not sure where its going wrong.

Hey micahkemp, thanks for your effort on this, I have updated the question with the Partial transforms.conf details. I am not sure how to make use of the code syntax to easier to read using 101010 button.

Kindly guide me on how to parsing issue.
thanks in advance.