Splunk Search

Regex for different logs

marco_massari11
Communicator

Hi,

I have similar authentication logs as below:

LOG 1:

03362 auth: ST1-CMDR: User 'my-global\admin' logged in from IP1 to WEB_UI session

 

LOG2:

%%10WEB/4/WEBOPT_LOGIN_SUC(l): admin logged in from IP2

 

The regex below works only for event LOG2:

(?<user>\w+)\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

 

Probably it doesn't match special characters, any idea to solve that?

Thank you in advance!

 

Labels (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The single quote in LOG 1 prevented a match.  This regex works with both samples.

(?<user>\w+)'?\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The single quote in LOG 1 prevented a match.  This regex works with both samples.

(?<user>\w+)'?\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...