Splunk Search

How to search and extract SSH user accounts which are logged in with an interactive login based on my sample data?

akashjohn
Explorer

Hi Team,

I am looking for a Splunk search to get a statistics table output

I am looking for is the SSH user accounts which are logged in with interactive login and note that the user names will be starting with a specific prefix as support_ (support_1, support_2, etc). Could you please let me know how can we achieve this?

0 Karma

sundareshr
Legend

Try this

index=xyz ("sshd" AND "keyboard-interactive/pam for support_*")  | rex "support_(?<support_user>[^\s]+)"  | stats count by support_user 
0 Karma

jplumsdaine22
Influencer

Without knowing what fields are available to you, this following search would work:

"Accepted keyboard-interactive/pam for support_*" 

If you want to extract the username inline you can try this

"Accepted keyboard-interactive/pam for support_*"  | rex _raw="support_(?<support_user>[^\s]+)" 

And then append whatever stats/timechart etc search you wish after that, eg

"Accepted keyboard-interactive/pam for support_*"  | rex _raw="support_(?<support_user>[^\s]+)"  | stats count by user
0 Karma

renjith_nair
Legend

Do you have some sample data and field names? If you just want to exclude specific strings , just try

index=yourindex source=yoursource ...rest of your search NOT "support_*"
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

akashjohn
Explorer

Hi Renjith,

Please find the sample data below,

Jul 13 04:23:07 dev-ron-aka-vin sshd[23227]: Accepted keyboard-interactive/pam for support_win_dev_scope from 10.1.0.2  port 56359 ssh2

We need to extract the user names (in above case support_win_dev_scope ) form all samples like this.

0 Karma
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...