Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex for filed extraction

darshan_singh01
Path Finder
‎02-13-2014 08:12 PM

Feb 13 22:01:25 XXXINFQST03 sshd[9161]: Accepted password for admin from

Above is the message I am getting from Linux logs from which I want to create fileds like

Time:Feb 13 22:01:25 & User=admin

Can anyone provide me the regex for this or any other way ??

Help apprecieted ..

Tags (3)
0 Karma
Reply

dshpritz
SplunkTrust
SplunkTrust
‎02-13-2014 09:27 PM

If your sourcetype is syslog, and you have Splunk_TA_nix installed, you should get the user information that you want. If you really want it all in one field, you could try this in your props.conf:

[mysourcetype]
REPORT-myfield = myfield

Then in your transforms.conf

[myfield]
REGEX = (\w{3}\s+\d+\s+\d{2}:\d{2}:\d{2}).*Accepted\spassword\sfor\s(\S+)
FORMAT = myfield::Time:$1 & User=$2

Not positive about the spaces in the FORMAT section, but it's a start.

HTH

Dave

Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...