Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

add a word/string as a field

amir_thales
Path Finder
‎06-09-2017 07:25 AM

Hello,

i'm a newbie in the world of splunk and i would know how i can add this word to make it a field

My log is :

<85>Jun 9 14:00:58 ccstcasi sudo[10277]: splunker : TTY=pts/0 ; PWD=/home/splunker ; USER=root ; COMMAND=/sbin/service chronyd status

USER =root host =localhost source =tcp:514 sourcetype =tcp-raw

i want to change my log to a other log where splunker will be SUDO_ORIGIN=splunker because splunker is the user who initiated the sudo command.

so i want something like that:

<85>Jun 9 14:00:58 ccstcasi sudo[10277]: SUDO_ORIGIN=splunker : TTY=pts/0 ; PWD=/home/splunker ; USER=root ; COMMAND=/sbin/service chronyd status

USER =root host =localhost source =tcp:514 sourcetype =tcp-raw SUDO_ORIGIN:splunker or other user

because i want to visualize a histogram with: count of sudo command / time and i want to filter the sudo command with SUDO_ORIGIN that is all user who execute the sudo command.

Thank you

PS: Sorry for my english

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-09-2017 10:10 AM

You can create a field extraction (using a regex, or the field extractor mentioned by Adonio above). And name the field you created, to be SUDO_ORIGIN.

Assuming that the event always has something like "sudo[somenumber]: sudo_username "
example of inline regex : 

mysearch_for_sudo_events  | rex "sudo\[\d+\]: (?<SUDO_ORIGIN>\w+) :"
| table _time SUDO_ORIGIN _raw

View solution in original post

Reply
Solved! Jump to solution

amir_thales
Path Finder
‎06-14-2017 03:36 AM

Hello yannK and Adonio,

thanks for your answers which helped me a lot.

Amir

Cordialy

0 Karma
Reply
Solved! Jump to solution

amir_thales
Path Finder
‎06-14-2017 02:22 AM

Sorry for the response time, being an alternate student I could not answer you.

Thank you yannK and adonio for your answer, it helped me a lot

Amir
Cordialy

0 Karma
Reply
Solved! Jump to solution
Solution

yannK
Splunk Employee
Splunk Employee
‎06-09-2017 10:10 AM

You can create a field extraction (using a regex, or the field extractor mentioned by Adonio above). And name the field you created, to be SUDO_ORIGIN.

Assuming that the event always has something like "sudo[somenumber]: sudo_username "
example of inline regex : 

mysearch_for_sudo_events  | rex "sudo\[\d+\]: (?<SUDO_ORIGIN>\w+) :"
| table _time SUDO_ORIGIN _raw
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎06-09-2017 09:36 AM

hello amir,
you can use the interface filed extractor:
https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
also, looks like some linux log, i think that the Add-on for linux has this one prebuilt
try download and use here:
https://splunkbase.splunk.com/app/833/
follow the docs on the app
hope it helps

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...