Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Use regex to pull out a phrase with a specific word?

jhilton90
Path Finder
‎11-15-2022 07:29 AM

Right now I'm using regex to pull data with the phrase "MFA challenge succeeded" using the following regex:

 

| rex "(?<MFA>[a-z,A-Z,\s,\bcode\b]+)account\s+(?<account>\w+)\s+with\s+email\s+(?<email>[^ ]+).\s+\w+\s+\w+\s+\w+\s+\w+\s+(?<keycloak_id>[a-z,0-9,-]+)"

 

 from the following field:

 message: MFA challenge succeeded for account aaaaaaa. Email is example@example.com. Keycloak session id is 11111111-1111-1111-1111-1111111111111 

However in the message field the MFA challenge succeeded will often be different, such as: 

MFA challenge issued
MFA code issued
MFA challenge failed.

I need a way to use regex to pull out messages where it says MFA challenge issued, MFA code issued, MFA challenge failed and then display them in a table 

Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-15-2022 07:51 AM

The regex is looking for the phrase " with email ", but that text is not in the example event.  Can you make sure the provided examples are correct, please?

Entries in a regex character class are not separated by commas.  Use ([a-zA-Z\s]|\bcode\b) in place of [a-z,A-Z,\s,\bcode\b] and [a-z0-9-] in place of [a-z,0-9,-].

This rex command works with the provided text.

| rex "(?<MFA>MFA (challenge succeeded|challenge issued|challenge failed|code issued)) for account (?<account>\w+)\. Email is (?<email>\S+)\. Keycloak session id is (?<keycloak>\S+)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jhilton90
Path Finder
‎11-16-2022 03:31 AM

Thanks Rich, I've used the following code:

index=keycloak "MFA"
| rex "(?<MFA>MFA (challenge succeeded|challenge issued|challenge failed|code issued)) for account (?<account>\w+)\. Email is (?<email>\S+)\. Keycloak session id is (?<keycloak>\S+)"
| where isnotnull (account)
| table account, email, keycloak_id, MFA, _time

However, in the MFA column in the table it's only printing "MFA challenge issued"

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2022 06:31 AM

Where there other events during the selected time window?  Can you please share them so I can verify the regex?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jhilton90
Path Finder
‎11-16-2022 07:00 AM

Yes there were other events as well such as:

message: MFA code issued for account bbbbbbbb with email example@example.com using sms. Keycloak session id is dddddddd-4444-5555-6666-ggggggggggggg

The events that say MFA code issued are going to be displayed in one table, then the events that say MFA challenge issued will be displayed in another table etc

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2022 07:37 AM

I read the OP was wanting to put all MFAs in a single table rather than in separate tables.  To put them into separate tables requires separate searches using a regex specific to the desired MFA.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jhilton90
Path Finder
‎11-16-2022 07:59 AM

Sorry I should have been clearer. The regex used to extract MFA challenge issued, MFA code issued, MFA successful, MFA failed will all go into their own separate tables

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2022 08:36 AM

Thanks for clarifying.  Separate tables call for separate searches and each search would have a rex command that matched only one of the MFA values.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jhilton90
Path Finder
‎11-16-2022 08:38 AM

I've tried using 

| rex "(?<MFA>MFA (code issued)) for account (?<account>\w+)\. Email is (?<email>\S+)\. Keycloak session id is (?<keycloak>\S+)"

 

But that doesn't seem to want to work, at least when I test it on regex101 it doesn't like it

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-16-2022 08:53 AM

Regex doesn't like it because it doesn't match the event.  Despite similarities around "MFA" the messages are not the same.

message: MFA challenge succeeded for account aaaaaaa. Email is example@example.com. Keycloak session id is 11111111-1111-1111-1111-1111111111111

has different noise words between the fields than does 

message: MFA code issued for account bbbbbbbb with email example@example.com using sms. Keycloak session id is dddddddd-4444-5555-6666-ggggggggggggg

The regex needs to match the event from which you are extracting fields.  Try this for "MFA code issued" events:

| rex "(?<MFA>MFA code issued) for account (?<account>\w+) with email (?<email>\S+) using sms\. Keycloak session id is (?<keycloak>\S+)"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...