Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create a field from a string

evang_26
Communicator
‎12-06-2013 05:39 AM

Hi users,

I have a big string in one field from which I want to extract specific values such as user and IP address and count based by that. As a reference of my logs take a look below.

Message: The user julie connected from 127.0.0.1 but failed an authentication attempt due to the following reason: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.

The query that I created by without success is the following:

sourcetype="WinEventLog" *remote access* *failed* | rex field=Message "The user : (?<user>[a-z].*) connected from (?<ip>[1-9].*) but.*$"  | table user, ip

Do you have any suggestions??
Thanks in advance!

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎12-06-2013 05:58 AM

The regex needs to look something like this:

^\w+\s+user\s+(?<user>\S+)\s+connected\s+from\s+(?<ip>\S+)\s+

So the search will be:

sourcetype="WinEventLog" remote access failed | rex field=Message "^\w+\s+user\s+(?<user>\S+)\s+connected\s+from\s+(?<ip>\S+)\s+"  | table user, ip

The capital "\S+" tells regex to grab everything that is not a space. You user names might have numbers in them for instance and you ip address has periods.

Hope that helps.

View solution in original post

Reply
Solved! Jump to solution

evang_26
Communicator
‎12-06-2013 06:43 AM

You guys are GREAT! Fantastic! I was quite close then. However, give me a little more insight here.

Breaking down the expression "(?\S+)" to smaller pieces, why we use the "?" ? I know that this is used so as to define an optional previous character. However this is not the case here.

As for the "" obviously that's the way to create the field, so that's fine!

I appreciate your answear, again!

0 Karma
Reply
Solved! Jump to solution
Solution

tgow
Splunk Employee
Splunk Employee
‎12-06-2013 05:58 AM

The regex needs to look something like this:

^\w+\s+user\s+(?<user>\S+)\s+connected\s+from\s+(?<ip>\S+)\s+

So the search will be:

sourcetype="WinEventLog" remote access failed | rex field=Message "^\w+\s+user\s+(?<user>\S+)\s+connected\s+from\s+(?<ip>\S+)\s+"  | table user, ip

The capital "\S+" tells regex to grab everything that is not a space. You user names might have numbers in them for instance and you ip address has periods.

Hope that helps.

Reply
Solved! Jump to solution

evang_26
Communicator
‎12-06-2013 06:43 AM

You guys are GREAT! Fantastic! I was quite close then. However, give me a little more insight here.

Breaking down the expression "(?\S+)" to smaller pieces, why we use the "?" ? I know that this is used so as to define an optional previous character. However this is not the case here.

As for the "" obviously that's the way to create the field, so that's fine!

I appreciate your answear, again!

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎12-06-2013 06:26 AM

Yep, the colon after Message is not a word character (\w).

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎12-06-2013 06:11 AM

The rex didn't work for me with sample data from evang_26. Updated rex which worked : "The user\s+(?\S+)\s+connected\s+from\s+(?\S+)\s+"

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...