Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a table from syslog event?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to create a table from the following syslog entry:
Aug 14 15:37:34 192.168.10.18 Aug 14 15:37:33 WestAnnex1 MAC Authentication failed for [0013.72eb.7330 ] on port 0/1/47 (Invalid User)
The problem I'm having is the fields I'm interested in aren't being created (I'm new to splunk, forgive me) I want the following table:
Time/Date
Source (WestAnnex1 for this example, maybe be able to re-label this to West Annex Switch)
Mac Address (0013.72eb.7330 for this example)
Port (0/1/47 for this example)
Hope I'm making sense and someone can help.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search <<index=A sourcetype=B...>> | rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port
Date/Time should already be extracted as _time by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search <<index=A sourcetype=B...>> | rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port
Date/Time should already be extracted as _time by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, just as you said, a space happened and it messed up the table. See below for the raw syslog:
Sep 2 07:53:25 192.168.10.18 Sep 2 07:53:24 WestAnnex1 MAC Authentication failed for [0030.a103.b3f4 ] on port 0/1/48 (Invalid User)
Aug 29 13:38:49 192.168.10.18 Aug 29 13:38:49 WestAnnex1 MAC Authentication failed for [0050.b980.10c9 ] on port 0/1/47 (Invalid User)
I changed the 7 to a 9 before Source and that fixed it but it will just go back when we hit Sept 10
Thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No don't have to, unless the value contains a space(currently I am taking all characters before a space is encountered).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked like charm! Thanks!
I ended up doing this:
index=main sourcetype=syslog mac authentication | ....
One more quick question, if the source (WestAnnex1) changes, that is it says NorthAnnex1 (more characters and/or less) will I have to alter anything?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...
Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern
Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...
