- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to edit my search to extract this value from m...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Take a look at this Sophos UTM syslog entry
2016:09:06-12:28:48 portal-1 aua[21251]: id="3005" severity="warn" sys="System" sub="auth" name="Authentication failed" srcip="192.168.48.15" host="" user="jon.doe" caller="openvpn" reason="DENIED"
I have a dashboard panel that runs this search
host=* sourcetype=UTM* sub=auth name="Authentication failed" OR "Authentication Failed" | head 5 | eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p")| table user name Timestamp | rename user as "User", name as "Reason"
Which works wonderfully. It displays the first 5 users, reasons for failure, and a timestamp in nice, neat columns.
The problem I am trying to resolve is this:
In the UTM log entry, it names this firewall portal-1, which would be okay if I only had one firewall. As it stands, I have logs coming from portal, portal-1, portal-2, and portal-3 and I'd like to be able to differentiate the portals with friendly names.
So, a couple of questions
1) Where it says portal-1 doesn't even seem to be a type of field, just some text that's part of the log entry (i.e. there is no "name=portal-1" or anything). How do I display it in my stats table?
2) Users could be failing authentication from any of our four portals, and I'd like it to display portal-1 as Internal Firewall, and likewise have friendly names for our other firewalls as well.
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default Splunk only extracts fields which are appearing as key-value pair (like other fields). The portal/firewall name doesn't appear as kv pair, so it has to be extracted explicitly. Try something like this
host=* sourcetype=UTM* sub=auth name="Authentication failed" OR "Authentication Failed" | head 5 | rex field=_raw "^\S+\s(?<Firewall>\S+)"| eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p")| table user name Timestamp Firewall | rename user as "User", name as "Reason" | eval Firewall=case(Firewall="portal","Some Text1", Firewall="portal-1","Some Text2",Firewall="portal-2","Some Text3"..., true(),"Default Value")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
By default Splunk only extracts fields which are appearing as key-value pair (like other fields). The portal/firewall name doesn't appear as kv pair, so it has to be extracted explicitly. Try something like this
host=* sourcetype=UTM* sub=auth name="Authentication failed" OR "Authentication Failed" | head 5 | rex field=_raw "^\S+\s(?<Firewall>\S+)"| eval Timestamp=strftime(_time,"%m-%d-%y %I:%M %p")| table user name Timestamp Firewall | rename user as "User", name as "Reason" | eval Firewall=case(Firewall="portal","Some Text1", Firewall="portal-1","Some Text2",Firewall="portal-2","Some Text3"..., true(),"Default Value")
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
