Hi,

I've searched through the Answers section, with not much help. What I'd like to do is to parse a log entry, to collect specific fields, and to compare those fields against a known value. If and only if the field(s) do not match a known value, print the result so I can create an alert for it.

Sample log file:

Oct  9 23:28:05 10.100.200.10 Juniper: 2013-10-10 00:28:05 - vpnhostXXX - [1.2.3.4] test_user(FOO-NC)[BarNC] - Network Connect: Session started for user with IP 10.10.10.10, hostname test_user_hostname

Using the log sample above, I'd like to check that a particular user, "test_user" connects to the VPN using ONLY a known host, in this case, "test_user_hostname". If "test_user" connects with a different host OR "test_user_hostname" connects with a different "test_user" ID, then I'd like to alert on it.

This is the query I've constructed, thus far (using Regex generated from 'Extract Field'):

... | rex "(?i) hostname (?P.+)" | rex "(?i)^[^\[]*\[\d+\.\d+\.\d+\.\d+\]\s+(?P[^\(]+)"

Pseudocode:
print search result IF test_user != test_user_hostname

Test:
If test_user connects with a host other than test_user_hostname, Splunk should return that result with the name of that host in the search result(s).

I'm struggling with coming up with the appropriate conditional statement(s).

Any help is much appreciated.

thanks,
-mike