- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to create a table from syslog event?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want to create a table from the following syslog entry:
Aug 14 15:37:34 192.168.10.18 Aug 14 15:37:33 WestAnnex1 MAC Authentication failed for [0013.72eb.7330 ] on port 0/1/47 (Invalid User)
The problem I'm having is the fields I'm interested in aren't being created (I'm new to splunk, forgive me) I want the following table:
Time/Date
Source (WestAnnex1 for this example, maybe be able to re-label this to West Annex Switch)
Mac Address (0013.72eb.7330 for this example)
Port (0/1/47 for this example)
Hope I'm making sense and someone can help.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search <<index=A sourcetype=B...>> | rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port
Date/Time should already be extracted as _time by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search <<index=A sourcetype=B...>> | rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port
Date/Time should already be extracted as _time by Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Well, just as you said, a space happened and it messed up the table. See below for the raw syslog:
Sep 2 07:53:25 192.168.10.18 Sep 2 07:53:24 WestAnnex1 MAC Authentication failed for [0030.a103.b3f4 ] on port 0/1/48 (Invalid User)
Aug 29 13:38:49 192.168.10.18 Aug 29 13:38:49 WestAnnex1 MAC Authentication failed for [0050.b980.10c9 ] on port 0/1/47 (Invalid User)
I changed the 7 to a 9 before Source and that fixed it but it will just go back when we hit Sept 10
Thoughts?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No don't have to, unless the value contains a space(currently I am taking all characters before a space is encountered).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That worked like charm! Thanks!
I ended up doing this:
index=main sourcetype=syslog mac authentication | ....
One more quick question, if the source (WestAnnex1) changes, that is it says NorthAnnex1 (more characters and/or less) will I have to alter anything?
Introducing the Splunk Community Dashboard Challenge!
Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...
Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...
