Splunk Search

Regex for different logs

marco_massari11
Communicator

Hi,

I have similar authentication logs as below:

LOG 1:

03362 auth: ST1-CMDR: User 'my-global\admin' logged in from IP1 to WEB_UI session

 

LOG2:

%%10WEB/4/WEBOPT_LOGIN_SUC(l): admin logged in from IP2

 

The regex below works only for event LOG2:

(?<user>\w+)\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

 

Probably it doesn't match special characters, any idea to solve that?

Thank you in advance!

 

Labels (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The single quote in LOG 1 prevented a match.  This regex works with both samples.

(?<user>\w+)'?\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The single quote in LOG 1 prevented a match.  This regex works with both samples.

(?<user>\w+)'?\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...