Splunk Search

Need help forming regex to extract username from log


trying to search for when sudo user1 adds user2 to a group and I want to extract the name of the user2 that was added to a group.
I am searching the audit.log file from my universal forwarder that's running on a Linux box. I am having trouble using regex to grab the name from acct="NAME" field because of the double quotes.

Below is my search string and log results:

search string:
index=* host=* sourcetype="*" "usermod" OR "visudo" AND "type=USER_MGMT"

log results:
type=USER_MGMT msg=audit(1501611744.115:10994): pid=24473 uid=0 auid=1002 ses=1236 msg='op=add-user-to-shadow-group grp="wheel" acct="addbyjoe" exe="/usr/sbin/usermod" hostname=? addr=? terminal=pts/1 res=success'

How to I extract the name(addbyjoe) from acct="addbyjoe" in the log results above?

0 Karma

Re: Need help forming regex to extract username from log


Hi jcorkey,
if the format of your logs is the one you described in your question, Splunk already extracts acct field.
otherwise you have to use a regex like the following

| rex "acct\=\"(?<user>[^\"]*)\""

if it doesn'r run, please share an example of your logs.

View solution in original post

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.