Splunk Search

Regex for different logs

marco_massari11
Communicator

Hi,

I have similar authentication logs as below:

LOG 1:

03362 auth: ST1-CMDR: User 'my-global\admin' logged in from IP1 to WEB_UI session

 

LOG2:

%%10WEB/4/WEBOPT_LOGIN_SUC(l): admin logged in from IP2

 

The regex below works only for event LOG2:

(?<user>\w+)\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})

 

Probably it doesn't match special characters, any idea to solve that?

Thank you in advance!

 

Labels (4)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The single quote in LOG 1 prevented a match.  This regex works with both samples.

(?<user>\w+)'?\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

The single quote in LOG 1 prevented a match.  This regex works with both samples.

(?<user>\w+)'?\slogged\sin\sfrom\s(?<src_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})
---
If this reply helps you, Karma would be appreciated.
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...