I'm trying to write a shell script in response to attempted ssh logins from multiple IP addresses. I have used rex to create a username field in my search since splunk couldn't grab the data itself, and was wondering if there is any way of passing the value of the field into my shell script.
eventtype=ssh-login-attempt | rex field=_raw "User '(?\w+)"
I'm looking to get the value of the username field into my shell script.
Thanks for the response. Just had a quick scroll through the REST API, not sure if that's what I'm looking for, however I will have a better read 'morrow when I wake up.
Just to clarify, the search will pick out users that try to ssh into the server from more than one ip address.
So for instance if the user 'andy' tries to ssh in from 192.168.0.2 and 192.168.1.5 the alert will fire off. What I'm trying to do is pass the value of the username, in this case 'andy', to the script, so that I could for example change the motd on the router to something like " Andy tried to login from 2 IPs "