- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Use regex to pull out a phrase with a specific wor...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use regex to pull out a phrase with a specific word?
Right now I'm using regex to pull data with the phrase "MFA challenge succeeded" using the following regex:
| rex "(?<MFA>[a-z,A-Z,\s,\bcode\b]+)account\s+(?<account>\w+)\s+with\s+email\s+(?<email>[^ ]+).\s+\w+\s+\w+\s+\w+\s+\w+\s+(?<keycloak_id>[a-z,0-9,-]+)"
from the following field:
message: MFA challenge succeeded for account aaaaaaa. Email is example@example.com. Keycloak session id is 11111111-1111-1111-1111-1111111111111
However in the message field the MFA challenge succeeded will often be different, such as:
MFA challenge issued
MFA code issued
MFA challenge failed.
I need a way to use regex to pull out messages where it says MFA challenge issued, MFA code issued, MFA challenge failed and then display them in a table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The regex is looking for the phrase " with email ", but that text is not in the example event. Can you make sure the provided examples are correct, please?
Entries in a regex character class are not separated by commas. Use ([a-zA-Z\s]|\bcode\b) in place of [a-z,A-Z,\s,\bcode\b] and [a-z0-9-] in place of [a-z,0-9,-].
This rex command works with the provided text.
| rex "(?<MFA>MFA (challenge succeeded|challenge issued|challenge failed|code issued)) for account (?<account>\w+)\. Email is (?<email>\S+)\. Keycloak session id is (?<keycloak>\S+)"If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Rich, I've used the following code:
index=keycloak "MFA"
| rex "(?<MFA>MFA (challenge succeeded|challenge issued|challenge failed|code issued)) for account (?<account>\w+)\. Email is (?<email>\S+)\. Keycloak session id is (?<keycloak>\S+)"
| where isnotnull (account)
| table account, email, keycloak_id, MFA, _timeHowever, in the MFA column in the table it's only printing "MFA challenge issued"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Where there other events during the selected time window? Can you please share them so I can verify the regex?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes there were other events as well such as:
message: MFA code issued for account bbbbbbbb with email example@example.com using sms. Keycloak session id is dddddddd-4444-5555-6666-gggggggggggggThe events that say MFA code issued are going to be displayed in one table, then the events that say MFA challenge issued will be displayed in another table etc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I read the OP was wanting to put all MFAs in a single table rather than in separate tables. To put them into separate tables requires separate searches using a regex specific to the desired MFA.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I should have been clearer. The regex used to extract MFA challenge issued, MFA code issued, MFA successful, MFA failed will all go into their own separate tables
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for clarifying. Separate tables call for separate searches and each search would have a rex command that matched only one of the MFA values.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried using
| rex "(?<MFA>MFA (code issued)) for account (?<account>\w+)\. Email is (?<email>\S+)\. Keycloak session id is (?<keycloak>\S+)"
But that doesn't seem to want to work, at least when I test it on regex101 it doesn't like it
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex doesn't like it because it doesn't match the event. Despite similarities around "MFA" the messages are not the same.
message: MFA challenge succeeded for account aaaaaaa. Email is example@example.com. Keycloak session id is 11111111-1111-1111-1111-1111111111111has different noise words between the fields than does
message: MFA code issued for account bbbbbbbb with email example@example.com using sms. Keycloak session id is dddddddd-4444-5555-6666-gggggggggggggThe regex needs to match the event from which you are extracting fields. Try this for "MFA code issued" events:
| rex "(?<MFA>MFA code issued) for account (?<account>\w+) with email (?<email>\S+) using sms\. Keycloak session id is (?<keycloak>\S+)"
If this reply helps you, Karma would be appreciated.
Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...
IM Landing Page Filter - Now Available
Dynamic Links from Alerts to IM Navigators - New in Observability Cloud
