Hello,
Novice, but getting better. I am searching the Internet, Splunk Docs, and Splunk Answers for an answer. Meanwhile, I figured to post my issue.
After the general search commands (index, sourcetype, etc.) I want to perform branching to different SPL commands based on the value of a field.
For example in pseudo code.
if process=snmpd
(| rex message=(blah, blah, blah)
| stats count(process), blah, blah, blah)
if process=sudo
(| rex message=(blah, blah, blah)
| stats count(process), blah, blah, blah)
etc., etc.,.....
I'm figuring this will be a combination of where, eval, case. However,I haven't figured out which one or combinations this would be.
I will continue to research and test. And any guidance or direction is appreciated.
Thanks in advance and God bless,
Genesius
Hello @genesiusj,
It depends on your use case, let me give you one example in which I want to extract field id from field either message1, message2 or message3 based on value of event_id field.
event_id=2, then I need to apply regex (?<id>\d+)
on message2 field.
| eval message=case(event_id==1,message1, event_id==2, message2, event_id==3, message3)
| rex field=message "(?<id>\d+)"
But yeah this is not a programming script so we need to find some approach based on use-cases. If you can explain your use-case explicitly I can guide.
Hello @genesiusj,
It depends on your use case, let me give you one example in which I want to extract field id from field either message1, message2 or message3 based on value of event_id field.
event_id=2, then I need to apply regex (?<id>\d+)
on message2 field.
| eval message=case(event_id==1,message1, event_id==2, message2, event_id==3, message3)
| rex field=message "(?<id>\d+)"
But yeah this is not a programming script so we need to find some approach based on use-cases. If you can explain your use-case explicitly I can guide.
@VatsalJagani
The events are from rsyslog. Based on the value of the field process (snmpd, sudo, crond, etc.) within the rsyslog event, I want to create new fields using the rex commands against _raw. I am using _raw because the information I am looking for is not in a predesignated field during ingest time.
Here is the SPL I have thus far, which works. But I need to have each of the different values for process run a different set of rex rename and stats commands.
index=linuxevents Connection
| rex field=_raw "]:\s+(?<SyslogMsg>.*$)"
| rex field=SyslogMsg "\[(?<SrcIP>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| rex field=SyslogMsg "\[\S*\[(?<DstIP>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| rename process as Process
| stats count by SrcIP, DstIP, Process
Here is an event with the word "Connection" inside _raw.
Jun 19 10:24:58 apps21 snmpd[9900]: Connection from UDP: [10.111.77.106]:60418->[10.222.143.6]:161
Here is a sample from the Statistics tab after running the search.
SrcIP DstIP Process count
10.111.77.100 10.222.143.6 snmpd 512
However, an event with sudo as the process would generate a different SyslogMsg from the rex command.
Jun 19 10:02:53 snk30 sudo: pam_unix(sudo:session): session opened for user root by onnyd(uid=0)
I have not written the rex and other commands for this yet, but I want to rex SyslogMsg for pam_unix into a Command field; opened into an Action field; onnyd into a User field; etc.
There are over 30 possible values for process. I don't want to create a separate search for each one.
I hope this clarifies what I am attempting to do.
I went to this site, https://splunkonbigdata.com, but so far I have not been able to find an answer.
Thanks for your help and God bless,
Genesius
Hi @genesiusj,
If you just want to extract different field based on some value then please use regex with that text specified like below:
| rex field=_raw "snmpd\[\d+\]\:\s+.*\[(?<SrcIP>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\]:\d+->\[(?<DstIP>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\]:\d+"
| rex field=_raw "sudo:\s+(?<Command>[^(]+)\(sudo:session\):\s+session\s+(?<Action>[^\s]+)\sfor user root by (?<user>[^\(]+)\(uid=0\)"
But apart from field extraction you want so many more operations also you can use append
command.
index=linuxevents Connection sudo
| rex field=_raw "]:\s+(?<SyslogMsg>.*$)"
| rex field=SyslogMsg "\[(?<SrcIP>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
......
| append [
search index=linuxevents Connection sudo
| rex field=_raw "sudo:\s+(?<Command>[^(]+)\(sudo:session\):\s+session\s+(?<Action>[^\s]+)\sfor user root by (?<user>[^\(]+)\(uid=0\)"
......
]
...... <some other common operations>
Before using append [ ]
command, just take care of sub-search command limitation. By default sub-search returns only first 10k results, you can change this limit from limits.conf file.
Hope this helps!!!
@VatsalJagani
Thanks.
I know I am misunderstanding something here.
The below SPL returns 14,356 events, and the same number of rows in the Statistics tab. The rows in the Statistics tab contain SrcIP and DstIP, as well as the SyslogMsg from the rex commands in the first append (lines 4-6). However, the rows from the rex commands in the second append (lines 10-12) are completely blank.
1. index=prod_linuxevents process="sudo" OR process="snmpd"
2. | append [
3. search index=prod_linuxevents process="snmpd"
4. | rex field=_raw "]:\s+(?<SyslogMsg>.*$)"
5. | rex field=SyslogMsg "\[(?<SrcIP>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
6. | rex field=SyslogMsg "\[\S*\[(?<DstIP>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
7. ]
8. | append [
9. search index=prod_linuxevents process="sudo"
10. | rex field=_raw "]:\s+(?<SyslogMsg>.*$)"
11. | rex field=SyslogMsg "\.*root by (?<SudoID>\w{1,10})"
12. | rex field=SyslogMsg "\.*COMMAND=(?<SudoCommand>.*$)"
13. ]
14. | table SyslogMsg, SrcIP, DstIP, SudoID, SudoCommand
Thanks and God bless,
Genesius
Run line number 9 to 12 in separate search and check the result. What ever the result you get here the same you will get with append, as append is not any rocket science it just append multiple result set.
@Vatsal
Again, thank you so much for your help.
I had a typo during my cut and paste.
The first rex command creating SyslogMsg in each append were identical. This didn't work because _raw is different for each process value.
Thanks and God bless,
Genesius
@VatsalJagani
As this is a new Splunk implementation, before I get a chance to complete one thing, another is tossed our way.
I am getting back to old forum posts to Accept answers from those who have directed me down the correct path.
Apologies for the delay.
Thanks and God bless,
Genesius