Splunk Search

How to edit my search to extract this value from my sample syslog data, and assign it a certain field name to display in my stats table?

HCadmins
Communicator

Hi,

Take a look at this Sophos UTM syslog entry

2016:09:06-12:28:48 portal-1 aua[21251]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.48.15" host="" user="jon.doe" caller="openvpn" reason="DENIED"

I have a dashboard panel that runs this search

host=* sourcetype=UTM* sub=auth name="Authentication failed" OR "Authentication Failed" | head 5 | eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p")| table user name Timestamp | rename user as "User", name as "Reason"

Which works wonderfully. It displays the first 5 users, reasons for failure, and a timestamp in nice, neat columns.

The problem I am trying to resolve is this:

In the UTM log entry, it names this firewall portal-1, which would be okay if I only had one firewall. As it stands, I have logs coming from portal, portal-1, portal-2, and portal-3 and I'd like to be able to differentiate the portals with friendly names.

So, a couple of questions
1) Where it says portal-1 doesn't even seem to be a type of field, just some text that's part of the log entry (i.e. there is no "name=portal-1" or anything). How do I display it in my stats table?

2) Users could be failing authentication from any of our four portals, and I'd like it to display portal-1 as Internal Firewall, and likewise have friendly names for our other firewalls as well.

Thanks in advance!

0 Karma
1 Solution

somesoni2
Revered Legend

By default Splunk only extracts fields which are appearing as key-value pair (like other fields). The portal/firewall name doesn't appear as kv pair, so it has to be extracted explicitly. Try something like this

host=* sourcetype=UTM* sub=auth name="Authentication failed" OR "Authentication Failed" | head 5 | rex field=_raw "^\S+\s(?<Firewall>\S+)"| eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p")| table user name Timestamp Firewall | rename user as "User", name as "Reason" | eval Firewall=case(Firewall="portal","Some Text1", Firewall="portal-1","Some Text2",Firewall="portal-2","Some Text3"..., true(),"Default Value")

View solution in original post

0 Karma

somesoni2
Revered Legend

By default Splunk only extracts fields which are appearing as key-value pair (like other fields). The portal/firewall name doesn't appear as kv pair, so it has to be extracted explicitly. Try something like this

host=* sourcetype=UTM* sub=auth name="Authentication failed" OR "Authentication Failed" | head 5 | rex field=_raw "^\S+\s(?<Firewall>\S+)"| eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p")| table user name Timestamp Firewall | rename user as "User", name as "Reason" | eval Firewall=case(Firewall="portal","Some Text1", Firewall="portal-1","Some Text2",Firewall="portal-2","Some Text3"..., true(),"Default Value")
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...