Splunk Search

Help with regex

surekhasplunk
Communicator

Hi,

I have below in column default_message

1st regex :

default_message= <14>shell: cmd by abcd: mkdir test

can you please help me with the regex to extract user here and the command run by the user in another column command. We can consider the : as the delimiter after user

here i should be able to extract user=abcd and command=mkdir test

2nd regex :

default_message= <133>clish[1234]: User abcd finished running clish -c from CLI shell

same column we need to extract user=abcd and command=finished running clish -c from CLI shell

Please help me with the regex.

If we can combine above two it would be great. else i will have to use some case and then do the regex.

Thanks

 

 

Labels (1)
Tags (2)
0 Karma
1 Solution

thambisetty
SplunkTrust
SplunkTrust

1st regex 

 

|makeresults 
| eval _raw="default_message= <14>shell: cmd by abcd: mkdir test"
| rex "cmd by (?<user>[^\:]+): (?<command>[^\s]+)"

 

2nd regex will combine both and work for 1st and second:

 

|makeresults 
| eval test="default_message= <14>shell: cmd by abcd: mkdir test|default_message= <133>clish[1234]: User abcd finished running clish -c from CLI shell"
| makemv test delim="|"
| mvexpand test
| rex field=test "cmd by (?<user1>[^\:]+): (?<command1>[^\s]+)"
| rex field=test  "User (?<user2>[^\s]+) (?<command2>.*)"
| eval user=coalesce(user1,user2),command=coalesce(command1,command2)
| table test user command

 

————————————
If this helps, give a like below.

View solution in original post

0 Karma

thambisetty
SplunkTrust
SplunkTrust

1st regex 

 

|makeresults 
| eval _raw="default_message= <14>shell: cmd by abcd: mkdir test"
| rex "cmd by (?<user>[^\:]+): (?<command>[^\s]+)"

 

2nd regex will combine both and work for 1st and second:

 

|makeresults 
| eval test="default_message= <14>shell: cmd by abcd: mkdir test|default_message= <133>clish[1234]: User abcd finished running clish -c from CLI shell"
| makemv test delim="|"
| mvexpand test
| rex field=test "cmd by (?<user1>[^\:]+): (?<command1>[^\s]+)"
| rex field=test  "User (?<user2>[^\s]+) (?<command2>.*)"
| eval user=coalesce(user1,user2),command=coalesce(command1,command2)
| table test user command

 

————————————
If this helps, give a like below.
0 Karma

surekhasplunk
Communicator

Hi @thambisetty 

Thanks for your quick reply. 

It working well to extract user but command2 its showing only finished/running/logged. 

whereas i want the full text after the user2 field form the column. 

0 Karma

thambisetty
SplunkTrust
SplunkTrust

check updated answer. I misunderstood.

------------------------------

up vote if it works.

————————————
If this helps, give a like below.
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...