Splunk Search

Extracting usernames from Solaris 9 syslog

Path Finder

Hi guys,
I hope this is an easy one for you. We have Solaris 9 boxes sending syslogs to nfs share and our Splunk 4.3 consumes them. We need to generate mgmt reports capturing all user logins to Solaris via mainly SSH and ALOM (SC). I cannot seem to extract the fields correctly for both entry points because the log syntax is different for each log-in method. Here is an example for SSH:
"10:23:41.000 AM <38>1 2013-01-28T10:23:41-05:00 solaris_host sshd 26371 - - sshd[26371]: [ID 800047 auth.info] Accepted password for root from port 63843 ssh2
source=/nfssoruce/syslogs host=ssolaris_host"

and this is for ALOM logins:
"10:58:05.000 PM <5>1 2013-01-21T22:58:05-05:00 solaris_host rmclomv - - - rmclomv: [ID 197766 kern.notice] SC Login: User some_user Logged out.
source=/nfssoruce/syslogs host=solaris_host"

Would anything have a handy regex or lookup for this scenario? In general, what is the best approach to parse Solaris 9 syslogs?
Thank you kindly.

Tags (1)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

here is a regex matching both with an OR condition

| rex "(Accepted password for |SC Login: User )(?< username >\w+))" | table username _raw

(remove the extra espaces in the xml tag, i had to add then the forum was escaping the whole attribute)

View solution in original post

Splunk Employee
Splunk Employee

here is a regex matching both with an OR condition

| rex "(Accepted password for |SC Login: User )(?< username >\w+))" | table username _raw

(remove the extra espaces in the xml tag, i had to add then the forum was escaping the whole attribute)

Splunk Employee
Splunk Employee

You are welcome.

0 Karma

Path Finder

Dear yannK,

Bullseye! Works like a charm with few cosmetic touches. Thank you kindly.
DanSavage, appreciate your assistance as well.

0 Karma


Nicee..like that

0 Karma


If sshd appears in the event and the rmclomv text is distinct in your events then you can separate out the results in the search criteria. Even if you need to show the 2 in the same report, you can sum as separate totals. Other than that yes of course you can regex them out as say different source types, but it hardly seems to be worth it. Keep it simple? 😉

0 Karma


Understood. Yannk did the business below 😉

0 Karma

Path Finder

Yes, I can separate based on the process name - sshd or rmclomv - but separating the usernames is a challenge somehow. My regex skills are not too good yet and it catches a lot of noise into the extraction. For one, this regex from the built-in field extractor:
"(?i)^(?:[^]]*]){2}\s+\w+\s+\w+\s+\w+\s+(?P[^ ]+)"
against the very 1st example (see above)
gets me 1 username but also 4 useless extracts from the string, incl. dashes and prepositions.

0 Karma
Get Updates on the Splunk Community!

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

New This Month - Observability Updates Give Extended Visibility and Improve User ...

This month is a collection of special news! From Magic Quadrant updates to AppDynamics integrations to ...

Intro to Splunk Synthetic Monitoring

In our last post, we mentioned that the 3 key pieces of observability – metrics, logs, and traces – provide ...