- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have this log line:
May 13 08:01:56 192.168.10.10 system_service: 192.168.10.10 05/13/2020:07:01:56 GMT : GUI CMD_EXECUTED : User test_user - Remote_ip 10.10.10.10 - Command "login login tenant_name=Owner,password=********,Secret=*****,challenge_response=*****,token=80410000cb49a9,client_port=-1,cert_verified=false,sessionid=********,session_timeout=0,permission=superuser" - Status "Done"
and I already have the Fields:
user: test_user
remote_ip: 10.10.10.10
command: "login login tenant_name=Owner,password=********,Secret=*****,challenge_response=*****,token=*****,client_port=-1,cert_verified=false,sessionid=********,session_timeout=0,permission=user"
status: "Done"
But I need to extract new fields from the existing field "command"
For now what I need is to create the field "event" with the fist word (Login and Logout)
Is there any way to Extract a field from an existing ? Or do I have to use the REX in Search?
I have this search, but the event field has no values
index=my_index (command=login* OR command=logout*)
| rex field=command "event:^(.*.Command)\s+\"(?P\w+)"
| table user,event, command,remote_ip, status, _time
| sort -_time
I've tested this regex expression and it return the value "login" from the log line above.
Any idea of what I'm doing wrong?
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your regex string was corrupted by the formatter, but it appears to be scanning the entire event (_raw) rather than just the command field. Try this rex command.
... | rex field=command "(?<event>\w+)" | ...
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your regex string was corrupted by the formatter, but it appears to be scanning the entire event (_raw) rather than just the command field. Try this rex command.
... | rex field=command "(?<event>\w+)" | ...
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bingo!!!
My Regex was for the full line and not for Command
Regards,
Pedro
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Please try below query
index=my_index (command=login* OR command=logout*)
| rex field=command "^\"(?<login_type>[\S]+)\s"
| table user, command, login_type ,remote_ip, status, _time
If you have whitespace in command field at start then try below query.
index=my_index (command=login* OR command=logout*)
| rex field=command "^\s\"(?<login_type>[\S]+)\s"
| table user, command, login_type ,remote_ip, status, _time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
thanks for the reply.
On both searches, Fields "event" and "login_type" didn't return any value.
user event login_type remote_ip status _time
user1 192.168.10.10 Success 2020-05-13 08:07:06
user1 192.168.10.10 Success 2020-05-13 08:07:06
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please share your query.
If this reply helps you, Karma would be appreciated.
