Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

extracting the same field from the same sourcetype in an index, but with multiple log formats

toddblake
Explorer
‎09-24-2013 10:13 AM

Linux logs su failures like so:

Sep 23 15:23:25 linuxhost su[6903]: pam_unix(su-l:auth): authentication failure; logname= uid=99 euid=0 tty=pts/3 ruser=nobody rhost=  user=myuser

Whereas solaris logs them like this:

Sep 23 15:07:50 solhost su[23608]: [ID 810491 auth.crit] 'su root' failed for myuser on /dev/pts/1

I wanted to extract a user field using the rex command and came up with the following:

for linux: I can just use the user field

for solaris: rex field=_raw "failed for (?<user>\w) on)"

So ultimately I'd like to be able to search for either string, and then extract the user field and report on that field regardless of log format. Any ideas?

Tags (1)
0 Karma
Reply

jonuwz
Influencer
‎09-24-2013 12:27 PM

Something like :

rex field=_raw ".*(?:failed for |user=)(?<user>\w+).*"
Reply

toddblake
Explorer
‎09-24-2013 04:46 PM

oh neat thanks, didn't know there was an OR operator(the pipe) in a regex, and didn't think to parse out the name=value pair since it normally does it on it's own anyway. Seems to do the trick, thanks!

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...