Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to search and extract SSH user accounts which are logged in with an interactive login based on my sample data?

akashjohn
Explorer
‎07-13-2016 12:14 AM

Hi Team,

I am looking for a Splunk search to get a statistics table output

I am looking for is the SSH user accounts which are logged in with interactive login and note that the user names will be starting with a specific prefix as support_ (support_1, support_2, etc). Could you please let me know how can we achieve this?

0 Karma
Reply

sundareshr
Legend
‎07-13-2016 05:00 AM

Try this

index=xyz ("sshd" AND "keyboard-interactive/pam for support_*")  | rex "support_(?<support_user>[^\s]+)"  | stats count by support_user
0 Karma
Reply

jplumsdaine22
Influencer
‎07-13-2016 02:26 AM

Without knowing what fields are available to you, this following search would work:

"Accepted keyboard-interactive/pam for support_*"

If you want to extract the username inline you can try this

"Accepted keyboard-interactive/pam for support_*"  | rex _raw="support_(?<support_user>[^\s]+)"

And then append whatever stats/timechart etc search you wish after that, eg

"Accepted keyboard-interactive/pam for support_*"  | rex _raw="support_(?<support_user>[^\s]+)"  | stats count by user
0 Karma
Reply

renjith_nair
Legend
‎07-13-2016 12:33 AM

Do you have some sample data and field names? If you just want to exclude specific strings , just try

index=yourindex source=yoursource ...rest of your search NOT "support_*"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

akashjohn
Explorer
‎07-13-2016 01:31 AM

Hi Renjith,

Please find the sample data below,

Jul 13 04:23:07 dev-ron-aka-vin sshd[23227]: Accepted keyboard-interactive/pam for support_win_dev_scope from 10.1.0.2  port 56359 ssh2

We need to extract the user names (in above case support_win_dev_scope ) form all samples like this.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...