Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Strange search results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am currently indexing bash history files. The user and other information are encapsulated in the file name when all the history files are collected.
e.g. /install/.log/20100910124129-server1.user1.user4.desktop1.domain.tld.log
I use the following EXTRACT in the props.conf:
EXTRACT-userinfo=/install/\.log/(?<LOGOUT>\d{14})-(?<CMDHOST>[^\.]+)\.(?<USER>[^\.]+)\.(?<EUSER>[^\.]+)\.(?<FORMHOST>\.+)\.log in source
On viewing the results form the search:
index=myindex
Shows all the fields in the field picker with the correct counts. When clicking on one of the fields the search changes to:
Index=myindex CMDHOST =”host1”
Shows “No matching events found”
Index=myindex CMDHOST =”*host1”
List all the events for the CMDHOST
index="myindex" | fields _raw, CMDHOST | search CMDHOST ="host1"
again lists all the events for the specific CMDHOST.
Any ideas?
BTW tested on Splunk 4.1.2 and 4.1.5 on MacOSX, Windows and FreeBSD.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is because Splunk expects the field value of the CMDHOST field to be part of the raw event (ie. the _raw field). You have two options to make the field-search work:
- Mark the fields with INDEXED_VALUE=false in fields.conf
fields.conf:
[CMDHOST]
INDEXED_VALUE=false
[LOGOUT]
INDEXED_VALUE=false
...
- Make the fields derived from the source field indexed
See this on how to configure index-time field extractions: http://www.splunk.com/base/Documentation/latest/Admin/Configureindex-timefieldextraction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is because Splunk expects the field value of the CMDHOST field to be part of the raw event (ie. the _raw field). You have two options to make the field-search work:
- Mark the fields with INDEXED_VALUE=false in fields.conf
fields.conf:
[CMDHOST]
INDEXED_VALUE=false
[LOGOUT]
INDEXED_VALUE=false
...
- Make the fields derived from the source field indexed
See this on how to configure index-time field extractions: http://www.splunk.com/base/Documentation/latest/Admin/Configureindex-timefieldextraction
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you. This worked.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have not tested this yet myself, but upon first review of your description above, the fact that there is a dash char just before the host name makes me think it has something to do with that.
I would try escaping out that dash in your regex and see if it makes a difference.
EXTRACT-userinfo=/install/.log/(?<LOGOUT>\d{14})-(?<CMDHOST>[^.]+).(?<USER>[^.]+).(?<EUSER>[^.]+).(?<FORMHOST>.+).log
OR try this version of the regex that uses \S+ for the value extraction, since there are no spaces in the event.
EXTRACT-userinfo=/install/.log/(?<LOGOUT>\d{14})-(?<CMDHOST>\S+?).(?<USER>\S+?).(?<EUSER>\S+?).(?<FORMHOST>\S+).log
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
