Splunk Search
Highlighted

How to extract user and source ip from Cisco Syslog message?

New Member
X_wan-network` sourcetype=wan_syslog EventType=local6.warning "Login" | rex field=_raw “(?\w+;(?\w+)”
| table _time,host, user, Source, WAN_site_name, EventMessage  | rename host as Node, WAN_site_name as Site_Name, user as User, EventMessage as Message | chart count over User , Source by Site_Name useother=f usenull=f 
| sort - _time
0 Karma
Highlighted

Re: How to extract user and source ip from Cisco Syslog message?

SplunkTrust
SplunkTrust

hi jthomp7626,
There are Add-on built for most (if not all) Cisco products with all extractions pre configured.
check splunkbase and search for cisco, pick the right add on and Splunk your data

0 Karma
Highlighted

Re: How to extract user and source ip from Cisco Syslog message?

Esteemed Legend

If you sourcetype your events the way that the Cisco apps expect it, then the field extractions should work. The sourcetypes are like cisco:ios, etc. If you show a valid raw event, I will give you the RegEx you need, but really, it should already be there for you.

0 Karma