Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

add regular expression for cisco ISE accounting logs CmdAV=show CmdArgAV=license CmdArgAV=usage

sushraw
Engager
‎03-27-2024 09:31 AM

Hello all,

can someone help me to to extract field 'CmdSet' from cisco ISE accouting logs. string : '[ CmdAV=show CmdArgAV=license CmdArgAV=usage CmdArgAV=<cr> ]'

Labels (1)
Labels
0 Karma
Reply

KothariSurbhi
Loves-to-Learn Everything
‎03-30-2024 07:39 AM

Hello @sushraw 

Can you please try appending below - 

| makemv CmdArgAV 
| eval CmdArgAV = replace(CmdArgAV, "\n", ", ")

 

The final results based on the sample event you shared would be -

| makeresults 
| eval _raw="Mar 26 15:37:59 <device_IP> <device_name>_Passed_Authentications 0045846127 2 0 2024-03-26 14:37:59.011 +00:00 06024423114 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=1398, Device IP Address=<device_IP>, DestinationIPAddress=<device_IP>, DestinationPort=49, UserName=<user>, CmdSet=[ CmdAV=show CmdArgAV=running-config CmdArgAV=interface CmdArgAV=Ethernet1/19 CmdArgAV=<cr> ], Protocol=Tacacs, MatchedCommandSet=Unsafecommand, RequestLatency=10, NetworkDeviceName=<device_name>" 
| rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]" 
| rex field=CmdSet max_match=0 "CmdArgAV=(?<CmdArgAV>[^\s]+)" 
| makemv CmdArgAV 
| eval CmdArgAV = replace(CmdArgAV, "\n", ", ")

 

Below screenshot for your reference -

 

KothariSurbhi_0-1711809498250.png

If this reply helps you, Karma would be appreciated.

0 Karma
Reply

sushraw
Engager
‎03-27-2024 10:51 AM

Hello @meetmshah 

i would like to thank you for your reply.

but i am looking to extract 'CmdSet' field.

i am using 'rex field=CmdSet "CmdAV=(?<Command>[^\s]+)|\sCmdArgAV=(?<Command1>[^\s]+)" '

but it is giving output till 1st CmdArgAV value

 

sushraw_0-1711561368589.png

 

0 Karma
Reply

meetmshah
SplunkTrust
SplunkTrust
‎03-27-2024 11:03 AM

Hello @sushraw, Can you please try below - 

| rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]"
| rex field=CmdSet "CmdArgAV=(?<CmdArgAV>[^\s]+)"

 

Please accept the solution and hit Karma, if this helps! 

Reply

sushraw
Engager
‎03-27-2024 11:16 AM

hi @meetmshah 

thanks for your reply. but not working as expected

sushraw_0-1711563353180.png

 

0 Karma
Reply

meetmshah
SplunkTrust
SplunkTrust
‎03-27-2024 11:24 AM

Oh we will need to add max_match=0 in rex. Example below - 

| rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]"
| rex field=CmdSet max_match=0 "CmdArgAV=(?<CmdArgAV>[^\s]+)"

Can you please have a check and me know how it goes?

0 Karma
Reply

sushraw
Engager
‎03-27-2024 09:08 PM

@meetmshahthanks 'max_match=0' helped.

but command keywords are separated by 'Enter'. is there any options to keep all words in one line?

sushraw_0-1711598829000.png

 

0 Karma
Reply

meetmshah
SplunkTrust
SplunkTrust
‎03-27-2024 10:22 PM

Can you please try appending below - 

| makemv delim="," allowempty=t CmdArgAV

 

Please accept the solution and hit Karma, if this helps!

0 Karma
Reply

sushraw
Engager
‎03-28-2024 03:27 AM

Hi @meetmshah 

not working as expected.

sushraw_0-1711621500691.png


search :- log_type=Passed_Authentications MESSAGE_TEXT="Command Authorization succeeded"  | rex field=CmdSet max_match=0 "CmdAV=(?<Command>[^\s]+)|\sCmdArgAV=(?<Command1>[^\s]+)" | makemv delim="," allowempty=t Command1 | table _time,Command,Command1

0 Karma
Reply

sushraw
Engager
‎03-27-2024 10:24 AM

TACACS event:

Mar 26 15:37:59 <device_IP> <device_name>_Passed_Authentications 0045846127 2 0 2024-03-26 14:37:59.011 +00:00 06024423114 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=1398, Device IP Address=<device_IP>, DestinationIPAddress=<device_IP>, DestinationPort=49, UserName=<user>, CmdSet=[ CmdAV=show CmdArgAV=running-config CmdArgAV=interface CmdArgAV=Ethernet1/19 CmdArgAV=<cr> ], Protocol=Tacacs, MatchedCommandSet=Unsafecommand, RequestLatency=10, NetworkDeviceName=<device_name>

0 Karma
Reply

meetmshah
SplunkTrust
SplunkTrust
‎03-27-2024 10:28 AM

Hello @sushraw, Can you please try below - 

| rex field=_raw "CmdSet=\[(?<CmdSet>[^\]]+)\]"

The above should extract CmdSet from the events.

If it looks good, you can write search time field extraction to extract the field CmdSet automatically.

Please accept the solution and hit Karma, if this helps!

0 Karma
Reply

meetmshah
SplunkTrust
SplunkTrust
‎03-27-2024 10:11 AM

Hello @sushraw, Can you please share sample events in order to create the regex? Sample event along with the field value that you want to extract.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...