I've searched through the Answers section, with not much help. What I'd like to do is to parse a log entry, to collect specific fields, and to compare those fields against a known value. If and only if the field(s) do not match a known value, print the result so I can create an alert for it.
Sample log file:
Oct 9 23:28:05 10.100.200.10 Juniper: 2013-10-10 00:28:05 - vpnhostXXX - [18.104.22.168] test_user(FOO-NC)[BarNC] - Network Connect: Session started for user with IP 10.10.10.10, hostname test_user_hostname
Using the log sample above, I'd like to check that a particular user, "test_user" connects to the VPN using ONLY a known host, in this case, "test_user_hostname". If "test_user" connects with a different host OR "test_user_hostname" connects with a different "test_user" ID, then I'd like to alert on it.
This is the query I've constructed, thus far (using Regex generated from 'Extract Field'):
... | rex "(?i) hostname (?P.+)" | rex "(?i)^[^\*\[\d+\.\d+\.\d+\.\d+\]\s+(?P[^\(]+)"
print search result IF test_user != test_user_hostname
If test_user connects with a host other than test_user_hostname, Splunk should return that result with the name of that host in the search result(s).
I'm struggling with coming up with the appropriate conditional statement(s).