Solved: How to get each occurrence of the username in a se...

rfiscus · ‎02-18-2016

This is my search:

index="test" sourcetype="Cisco_Users" 
| rex field=_raw "(?<Host>\w+-\w+-\w+-\w+-?\d?\.\w+\.\w+)\s\((?<IP>\d+\.\d+\.\d+\.\d+)"
| eval "IP Address" = IP
| rex field=_raw "(Version|version:)\s(?<IOS_Version>\d+.\d+\(\d+\)\w?\w?\w?)"
| eval "IOS Version" = IOS_Version
| rex field=_raw "(cisco|Hardware:)\s+(?<Model>\w+\s?-?\w+-?\w+)"
| rex field=_raw "(Serial Number:\s|Processor [B-B-b-b]oard ID )(?<Serial>\w+)"
| eval "Serial Number" = Serial
| rex field=_raw "username (?<Username>\w+)"
| table Host "IP Address" Model "IOS Version" "Serial Number" Username | Sort 0 Host

Sample Event:

TV-202-123-RT1.cbs.local (10.30.40.200):
Cisco IOS Software, C3750E Software (C3750E-IPBASEK9-M), Version 15.0(2)SE6, RELEASE SOFTWARE (fc2)
System image file is "flash:/c3750e-ipbasek9-mz.150-2.SE6/c3750e-ipbasek9-mz.150-2.SE6.bin"
cisco WS-C3750X-24 (PowerPC405) processor (revision A0) with 262144K bytes of memory.
Processor board ID FDO14
username user1 privilege 15 secret 5 
username user2 privilege 15 secret 5 
username user3 privilege 15 secret 5 
username user4 privilege 15 secret 5
username user5 privilege 15 secret 5

rfiscus · ‎02-18-2016

Bert from Splunk to the rescue again!!

| rex field=_raw max_match=50 "username (?<Username>\w+)"

View solution in original post

rfiscus · ‎02-18-2016

Bert from Splunk to the rescue again!!

| rex field=_raw max_match=50 "username (?<Username>\w+)"

How to get each occurrence of the username in a search from my sample data, not just the first username?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...