Splunk Search

REGEX help on field extraction?

Contributor

Hi,

I am trying to extract fields from events and here are the sample events:

AUD_Proc user1 OK Thu Sep 16 15:09:45 2010 audit
pid: 0 cmd: 4

TCB_Exec user1 OK Thu Sep 16 15:09:45 2010 audit
filename: /usr/sbin/audit

CRON_Start root OK Tue Oct 05 23:40:00 2010 cron

S_PASSWD_READ root OK Tue Oct 05 23:40:00 2010 java

I am tring to extract the "login" field (user1,root) but the generated pattern doesn't match all values.

For example,if i selected user1 and root as the example values,the pattern generated only captures event for TCB_Exec,and not other events like AUD_Proc,CRON_Start & S_PASSWD_READ.

Tags (2)
0 Karma
1 Solution

Splunk Employee
Splunk Employee

yes, something like:

[yoursourcetype]
EXTRACT-loginfield = ^\S+\s+(?<login>\S+)
EXTRACT-Status = ^\S+\s+\S+\s+(?<status>\S+)

..etc..

props.conf.spec for more info

View solution in original post

0 Karma

Splunk Employee
Splunk Employee

yes, something like:

[yoursourcetype]
EXTRACT-loginfield = ^\S+\s+(?<login>\S+)
EXTRACT-Status = ^\S+\s+\S+\s+(?<status>\S+)

..etc..

props.conf.spec for more info

View solution in original post

0 Karma

Contributor

I see..thanks it works fine.

0 Karma

Contributor

thanks for the prompt reply.

Do I specify the commands you've provided in props.conf?

Here is a list of examples where it contains 5 columns:
(eg. event-FS_CHdir, login-user3, status-OK, time, command - tsm,su)etc

I'm trying to extract these fields for the 5 columns.

FS_Chdir user3 OK Tue Oct 26 11:10:49 2004 tsm
change current directory to: /home/user3

S_ENVIRON_WRITE user3 FAIL Tue Oct 26 11:10:49 2004 tsm
audit object write event detected /etc/security/environ

S_PASSWD_READ user3 OK Tue Oct 26 11:10:50 2004 su
audit object read event detected /etc/security/passwd

S_PASSWD_READ user3 OK Tue Oct 26 11:10:50 2004 su
audit object read event detected /etc/security/passwd

USER_SU user3 OK Tue Oct 26 11:10:53 2004 su
root

AUD_Proc user1 OK Thu Sep 16 15:09:45 2010 audit
pid: 0 cmd: 4

TCB_Exec user1 OK Thu Sep 16 15:09:45 2010 audit
filename: /usr/sbin/audit

CRON_Start root OK Tue Oct 05 23:40:00 2010 cron

0 Karma

Splunk Employee
Splunk Employee

I would use:

REGEX = ^\S+\s+(?<fieldname>\S+)
0 Karma

Splunk Employee
Splunk Employee

i think something like this should work for you:

REGEX = ^\w+ (\w+)
Yourfield  = $1

If you can send a bigger log file i can be a bit more sure, but using a regex tester this works ok for me.

Hope this helps

0 Karma