Splunk Search

Extracting data from specific field

abctx007
New Member

hi i tried playing with rex and regex but couldn't figure exact expression. my command field is in 3 different scenarios

1) COMMAND=/usr/local/bin/ssh -q host1
2) COMMAND=/usr/local/bin/ssh host1
3) COMMAND=/usr/local/bin/ssh -q host1 df -h

i want a search to give my results only in (1) and (2). we have jump server where many users jump via sudo to other users and i want the list of users only who jumped and not who executed command via for loop in scenario (3).
source="/var/raw/logs/sudo.log" host=jumpserver ??????????????????

1) COMMAND=/usr/local/bin/ssh mex-01
2) COMMAND=/usr/local/bin/ssh -q mex-02
3) COMMAND=/usr/local/bin/ssh -q mex-03 df -h /apps

from these above commands i want to extract only (1) and (2) and ignore (3)

Tags (2)
0 Karma

lguinn2
Legend

Try this:

source="/var/raw/logs/sudo.log" host=jumpserver
| where match(COMMAND,"/usr/local/bin/ssh -q \S+\s*$") OR  match(COMMAND,"/usr/local/bin/ssh \S+\s*$")

This will only match COMMAND fields that have nothing (or only whitespace) after the host name.

0 Karma

abctx007
New Member

Tk you very much lguinn that is what i was looking for.appreciate your help.

0 Karma

grijhwani
Motivator

How about a sample of actual log data (names/commands obfuscated if you like), and then a representation (not a description) of the results you are seeking to generate.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Try this

source="/var/raw/logs/sudo.log" host=jumpserver | regex COMMAND="/usr/local/bin/ssh (-q \w+|\w+)*$"
0 Karma

abctx007
New Member

tks for suggestion but this didn't help. i want to list o/p whose executed "/usr/local/bin/ssh hostname" and "/usr/local/bin/ssh -q hostname" but not "/usr/local/bin/ssh -q hostname *"

0 Karma

lguinn2
Legend

You don't have to get a single perfect regular expression...

Here is one alternative

source="/var/raw/logs/sudo.log" host=jumpserver
| where NOT match(COMMAND,"/usr/local/bin/ssh -q \S+ df -h")
| where match(COMMAND,"/usr/local/bin/ssh -q \S+") OR  match(COMMAND,"/usr/local/bin/ssh \S+")

You might not need both of the where commands, but I thought that it was a nice illustration.

0 Karma

abctx007
New Member

Tks for your help Iguinn but in this case didn't help me, i should have been more clear in my Q. in case (3) command doesn't always be "df -h" it will one of many thousands. i want to ignore "/usr/local/bin/ssh -q host1 *" pretty much anything after host1. and by the way hostname(host1) also changes all the time.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...