Splunk Search

add a word/string as a field

amir_thales
Path Finder

Hello,

i'm a newbie in the world of splunk and i would know how i can add this word to make it a field

My log is :

<85>Jun 9 14:00:58 ccstcasi sudo[10277]: splunker : TTY=pts/0 ; PWD=/home/splunker ; USER=root ; COMMAND=/sbin/service chronyd status

USER =root host =localhost source =tcp:514 sourcetype =tcp-raw

i want to change my log to a other log where splunker will be SUDO_ORIGIN=splunker because splunker is the user who initiated the sudo command.

so i want something like that:

<85>Jun 9 14:00:58 ccstcasi sudo[10277]: SUDO_ORIGIN=splunker : TTY=pts/0 ; PWD=/home/splunker ; USER=root ; COMMAND=/sbin/service chronyd status

USER =root host =localhost source =tcp:514 sourcetype =tcp-raw SUDO_ORIGIN:splunker or other user

because i want to visualize a histogram with: count of sudo command / time and i want to filter the sudo command with SUDO_ORIGIN that is all user who execute the sudo command.

Thank you

PS: Sorry for my english

Tags (1)
0 Karma
1 Solution

yannK
Splunk Employee
Splunk Employee

You can create a field extraction (using a regex, or the field extractor mentioned by Adonio above). And name the field you created, to be SUDO_ORIGIN.

Assuming that the event always has something like "sudo[somenumber]: sudo_username "
example of inline regex :

mysearch_for_sudo_events  | rex "sudo\[\d+\]: (?<SUDO_ORIGIN>\w+) :"
| table _time SUDO_ORIGIN _raw

View solution in original post

amir_thales
Path Finder

Hello yannK and Adonio,

thanks for your answers which helped me a lot.

Amir

Cordialy

0 Karma

amir_thales
Path Finder

Sorry for the response time, being an alternate student I could not answer you.

Thank you yannK and adonio for your answer, it helped me a lot

Amir
Cordialy

0 Karma

yannK
Splunk Employee
Splunk Employee

You can create a field extraction (using a regex, or the field extractor mentioned by Adonio above). And name the field you created, to be SUDO_ORIGIN.

Assuming that the event always has something like "sudo[somenumber]: sudo_username "
example of inline regex :

mysearch_for_sudo_events  | rex "sudo\[\d+\]: (?<SUDO_ORIGIN>\w+) :"
| table _time SUDO_ORIGIN _raw

adonio
Ultra Champion

hello amir,
you can use the interface filed extractor:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
also, looks like some linux log, i think that the Add-on for linux has this one prebuilt
try download and use here:
https://splunkbase.splunk.com/app/833/
follow the docs on the app
hope it helps

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...