Splunk Search

How do you extract multiple strings of text using rex?

TechnicalRS
Engager

I have VPN access connect/disconnect events from a Meraki security appliance being fed into Splunk. They show up in Splunk as:

Jun  2 11:13:37 10.0.0.253 1
1401722017.518634469 Site1_Firewall events client_vpn_connect user id 'username@domainname.com' local ip
192.168.111.165 connected from 10.2.30.44

Jun  2 11:10:02 10.0.0.253 1
1401721802.723896809 Site1_Firewall events client_vpn_disconnect user id 'username@domainname.com' local ip
192.168.111.165 connected from 10.2.30.44

I am needing this data to be less cluttered for a report that shows when users are accessing the VPN, and would only really need something like:

Jun 2 11:10:02 connect username@domainname.com 10.2.30.44
Jun 2 11:13:55 disconnect username@domainname.com 10.2.30.44

What would be the best method of extracting only the needed information from the logged message? I have read up on the rex command in splunk and while it seems like this would be where I need to be looking, I have absolutely no experience with how to write regular expressions. If anyone can offer a suggestion on how to accomplish this (as well as tips/reading material for understanding and writing regular expressions!) I would be very appreciative

Tags (3)
0 Karma
1 Solution

somesoni2
Revered Legend

Try something like this.

Your base search | rex "client_vpn_(?<Action>[^ ]*) user id '(?<UserId>[^']*)'" | rex " connected from (?<IPAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval Message=strftime(_time,"%B %d %H:%M:%S")." ".Action." ".UserId." ".IPAddress | table Message

View solution in original post

somesoni2
Revered Legend

Try something like this.

Your base search | rex "client_vpn_(?<Action>[^ ]*) user id '(?<UserId>[^']*)'" | rex " connected from (?<IPAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval Message=strftime(_time,"%B %d %H:%M:%S")." ".Action." ".UserId." ".IPAddress | table Message

somesoni2
Revered Legend

TechnicalRS
Engager

That works perfectly. Thank you very much!

0 Karma
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...