Splunk Search

How do I extract the status from authentication logs into an action field?

Engager

Hello!
Please let me know how can I extract the status of the authentication from the following logs into an action field.

CRON: pam_unix(cron:session): session opened for user root by (uid=0)
CRON: pam_unix(cron:session): session closed for user root

thanks!

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi @ysifusuf,

You can get that extracted directly within your search as follows :

..... | rex field=_raw "([^:]+\:)+\ssession\s(?<action>\w+)\s"

Or if you add it as an extracted field to have it automatically on your next search as shown here for GUI:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Managesearch-timefieldextractions#Revie...
Or by editing props.conf :

[your_authentication_sourcetype]
EXTRACT-action = ([^:]+\:)+\ssession\s(?<action>\w+)\s

Cheers,
David

View solution in original post

Explorer

You can also do like this,

| rex field=_raw "^(?:[^ \n]* ){3}(?P\w+)"

0 Karma

SplunkTrust
SplunkTrust

Hi @ysifusuf,

You can get that extracted directly within your search as follows :

..... | rex field=_raw "([^:]+\:)+\ssession\s(?<action>\w+)\s"

Or if you add it as an extracted field to have it automatically on your next search as shown here for GUI:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Managesearch-timefieldextractions#Revie...
Or by editing props.conf :

[your_authentication_sourcetype]
EXTRACT-action = ([^:]+\:)+\ssession\s(?<action>\w+)\s

Cheers,
David

View solution in original post

Engager

Hey man,
it works, thanks
@DavidHourani

0 Karma

SplunkTrust
SplunkTrust

you're welcome !

0 Karma

SplunkTrust
SplunkTrust

There are a number of ways to do that, depending on your specific needs. Here's one:

 index=foo | rex "session (?<action>\S+) for user (?<user>\S+)" | ...
---
If this reply helps you, an upvote would be appreciated.