Solved: How to add a field extraction to an existing defau...

CREVITCH · ‎12-18-2015

I have logs that do not use the default name value format for the user field. When I add a field extractor for my user format and name it "user", the default format of "user=" no longer is included in the search. How to I add to the existing field rule rather than replace it?

renjith_nair · ‎12-19-2015

Try adding a different field name instead of user for field extraction and then use a field alias to link both

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Addaliasestofields

---
What goes around comes around. If it helps, hit it with Karma 🙂

View solution in original post

woodcock · ‎12-21-2015

You can do it like this :

props.conf:

[YourSourcetypeHere]
REPORT-SomeArbitraryUniqueStringHere = UserFieldMultipleFormats

transforms.conf:

[UserFieldMultipleFormats]
REGEX = (?:session (?:closed|opened) for|disconnected by|[Ii]nvalid|about|check pass;) user (\w+)
FORMAT = user::$1

renjith_nair · ‎12-19-2015

Try adding a different field name instead of user for field extraction and then use a field alias to link both

http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/Addaliasestofields

---
What goes around comes around. If it helps, hit it with Karma 🙂

CREVITCH · ‎12-18-2015

I have a number of formats for user. How can I create a field extractor that will cover all of them:

session closed for user XXXX
session opened for user XXXX
disconnected by user XXXX
invalid user XXXX
about user XXXX
check pass; user unknown
Invalid user XXXX
user=XXXX (default built into linux_secure)

How to add a field extraction to an existing default field?

props.conf:

transforms.conf:

Archived Metrics Now Available for APAC and EMEA realms

Detecting Remote Code Executions With the Splunk Threat Research Team

Enter the Dashboard Challenge and Watch the .conf24 Global Broadcast!