Splunk Search
Highlighted

Working with eventtypes

Builder

I'm wondering if someone can provide me with a suggestion on how to handle this (probably straight-forward) scenario.

So here's an event:

PSAPPSRV.14586 (13) 07/12/12 09:17:46 GetCertificate Sign on PeopleCode authentication succeeded for user ABCUSER123@foo.xyz.com.

Here's a similar event:

PSAPPSRV.29564 (7) 07/22/12 02:37:15 GetCertificate Sign on PeopleCode authentication succeeded for user ABCUSER123@987.123.456.33.

They're similar except that one event has a user/hostname, the other has a user/IP address.
(The hostnames/IP addresses have been modified for anonymity.)

What I want to do is have a single event type called "psloginsuccess" that will include events from any user from any host or IP.

I also want to extract two fields from these events: the "ps_user" (ABCUSER123) and, depending on context, either the remote hostname or the remote IP.

So my questions:

  1. The eventtype wizard can't quite do what I need it to do. What does this eventtype definition look like if I need to do it manually?

  2. Similar question regarding the field extractions.. I can't get the field extractor to do what I need it to do either. Am I creating two regex's, one for each scenario? Or is there a way to do it with one?

  3. Should I extract the fields within the context of the eventtype? Or should the field extraction be separate from the eventtype?

Thank you in advance for your assistance!

0 Karma
Highlighted

Re: Working with eventtypes

Legend

First, if you run this search, does it only retrieve events that should belong to the eventtype?

"Sign on" "authentication succeeded for user"

If yes, then click "Create -> Eventtype" in 4.3. In earlier versions, choose "Save as event type..." from the Actions menu.
Give the eventtype the name "ps_login_success" and save it.

Second, regarding field extractions. You can do this with one regular expression, like this:

"authentication succeeded for user (?P<userName>.*?)@(?P<userDomain>\.*?)\.\s"

You could put this in props.conf, or use it in a rex command:

yoursearchhere 
| rex "authentication succeeded for user (?P<userName>.*?)@(?P<userDomain>\.*?)\.\s" 
| stats count by userDomain userName

In props.conf

[sourcetypenamehere]
EXTRACT-e1= "authentication succeeded for user (?P<userName>.*?)@(?P<userDomain>\.*?)\.\s"

The field extraction is separate from the eventtype.

Highlighted

Re: Working with eventtypes

Builder

Thank you for your response. The trouble I ran into was figuring out how to distinguish one eventtype "format" from the other (i.e. one with a hostname from one with an IP). Then it turns out there was a third format. Ugh!

I got around this using the "punct" feature. However, I think your suggestion is simpler. I will give it a try, thanks!

0 Karma