Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regex help Required
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex help Required
Hi All,
We are planning to ingest the SQL login success and failure logs into Splunk. So in the logs there are lot of events but we want to ingest only the "Login succeeded for user" and "Login failed for user" information alone. So kindly help to provide the regex for the same.
Sample events looks like below:
2020-08-10 06:00:00.89 Logon Login succeeded for user 'ad\SQL_abcde123'. Connection made using Windows authentication. [CLIENT: <local machine>]
2020-08-10 06:00:01.59 Logon Login succeeded for user 'xyz'. Connection made using SQL Server authentication. [CLIENT: xxx.xxx.xxx.xxx]
2019-08-10 05:00:01.59 Logon Login failed for user ''. Reason: An attempt to login using SQL authentication failed. Server is configured for Windows authentication only. [CLIENT: xxx.xxx.xx.xxx]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
https://docs.splunk.com/Documentation/Splunk/8.0.5/Data/Whitelistorblacklistspecificincomingdata
[yours]
whitelist = (succeeded|failed) for user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your swift response. So i need to write in props.conf (or) should i need to include the same in inputs.conf along with index and sourcetype information.
Or Whether do we need to have both props and transforms in place as well?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Have mentioned in the input.conf and ingested the logs into Splunk. But still i can see other events also getting ingested as well. I just want to see the succeeded and failed events alone. so let me know how to fix it.
[monitor://D:\Server Location]
whitelist = (succeeded|failed) for user
sourcetype = xyz
index = abc
crcSalt = <SOURCE>
disabled = 0
So kindly help on this request.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone help on my request..
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can anyone help
See Splunk Platform & Observability Innovations at Cisco Live EMEA
The OpenTelemetry Certified Associate (OTCA) Exam
From Manual to Agentic: Level Up Your SOC at Cisco Live
