Splunk Search

How to create a table from syslog event?

wiredmonkey
Explorer

I want to create a table from the following syslog entry:

Aug 14 15:37:34 192.168.10.18 Aug 14 15:37:33 WestAnnex1 MAC Authentication failed for [0013.72eb.7330 ] on port 0/1/47 (Invalid User)

The problem I'm having is the fields I'm interested in aren't being created (I'm new to splunk, forgive me) I want the following table:

Time/Date
Source (WestAnnex1 for this example, maybe be able to re-label this to West Annex Switch)
Mac Address (0013.72eb.7330 for this example)
Port (0/1/47 for this example)

Hope I'm making sense and someone can help.
Thanks!

Tags (2)
1 Solution

somesoni2
Revered Legend

Try this

your base search <<index=A sourcetype=B...>> | rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port

Date/Time should already be extracted as _time by Splunk.

View solution in original post

somesoni2
Revered Legend

Try this

your base search <<index=A sourcetype=B...>> | rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port

Date/Time should already be extracted as _time by Splunk.

wiredmonkey
Explorer

Well, just as you said, a space happened and it messed up the table. See below for the raw syslog:

Sep 2 07:53:25 192.168.10.18 Sep 2 07:53:24 WestAnnex1 MAC Authentication failed for [0030.a103.b3f4 ] on port 0/1/48 (Invalid User)
Aug 29 13:38:49 192.168.10.18 Aug 29 13:38:49 WestAnnex1 MAC Authentication failed for [0050.b980.10c9 ] on port 0/1/47 (Invalid User)

I changed the 7 to a 9 before Source and that fixed it but it will just go back when we hit Sept 10

Thoughts?

0 Karma

somesoni2
Revered Legend

No don't have to, unless the value contains a space(currently I am taking all characters before a space is encountered).

0 Karma

wiredmonkey
Explorer

That worked like charm! Thanks!

I ended up doing this:

index=main sourcetype=syslog mac authentication | ....

One more quick question, if the source (WestAnnex1) changes, that is it says NorthAnnex1 (more characters and/or less) will I have to alter anything?

Get Updates on the Splunk Community!

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...