- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- chopping up lastlog
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have managed to get our linux hosts' lastlog data in our Splunk> (version 5.0.2, build 149561) easily enough, but what I am trying to accomplish (with any additional app installs, thanks) is "chop up" the lastlog results into a
chart by host, user, ip and date.
I tried at Extract Fields on the results and could NOT get it to recognize a list of 40 names?
20 Most Common and 20 'Random' names either together or separately both return "No regex could be learned. Try providing different examples or restriction."
I tried the actual names from "sample events" and it just barks the same message.
Even the simple names list (Lucy Ricky Fred Ethel) fails.
We have the Splunk_TA_nix installed.
Sample data via splunk shows:
USERNAME FROM LATEST
root xx.xxx.61.95 Jun 5 06:15:58 2013
some_user isp-24-249-207- Jun 4 08:03:29 2013
another_user what.ever Jun 2 13:00:15 2013
Edit: Wed Jun 05, 2013 - 1:01:38 PM EDT
Extracted Fields vs Indexed Fields...so I want to extract the usernames from the output of
sourcetype="lastlog" host="*"
Fri Jun 07, 2013 - 2:22:40 PM EDT
Some progress...
\w+\s+\w+\s+\w+\s+(?P
but this only grabs "root" and one other username
so, still banging away...
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this what you're looking for?:
index=os sourcetype=lastlog|multikv|table host,LATEST,FROM,USERNAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is this what you're looking for?:
index=os sourcetype=lastlog|multikv|table host,LATEST,FROM,USERNAME
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also found this format to be useful and easy to read.
sourcetype="lastlog" |dedup host| multikv |stats list(USERNAME) AS login_user, list(LATEST) AS login_time by host
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jj: if glitch's answer solved your problem, please accept his answer by checking the checkbox. thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Very close and it gives me so much to work with. I can shape the output further thanks to you and this working example.
sourcetype="lastlog"| multikv|table host,USERNAME,LATEST,FROM | dedup host sortby lastlogin_time | table host,USERNAME,LATEST,FROM
Thank you very much!
John Jones of
cirrhus9.com
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
