Splunk Search

How to extract user and source ip from Cisco Syslog message?

jthomp7626
New Member
X_wan-network` sourcetype=wan_syslog EventType=local6.warning "Login" | rex field=_raw “(?\w+;(?\w+)”
| table _time,host, user, Source, WAN_site_name, EventMessage  | rename host as Node, WAN_site_name as Site_Name, user as User, EventMessage as Message | chart count over User , Source by Site_Name useother=f usenull=f 
| sort - _time
0 Karma

woodcock
Esteemed Legend

If you sourcetype your events the way that the Cisco apps expect it, then the field extractions should work. The sourcetypes are like cisco:ios, etc. If you show a valid raw event, I will give you the RegEx you need, but really, it should already be there for you.

0 Karma

adonio
Ultra Champion

hi jthomp7626,
There are Add-on built for most (if not all) Cisco products with all extractions pre configured.
check splunkbase and search for cisco, pick the right add on and Splunk your data

0 Karma
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...