Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

create field for syslog raw data

SridharS
Path Finder
‎08-31-2015 07:19 AM

Aug 31 10:06:32 serverA.com Aug 31 16:06:32 [serverA: HTTPPool02:debug]: sridhar:AUTH:error:Login failed for user sridhar from IP 10.100.150.110. reason "User not authenticated"

Aug 31 10:06:32 ServerB.com Aug 31 22:06:32 [ServerB:HTTPPool03:debug]: netsupport:AUTH:error:Login failed for an unknown user from IP 11.200.10.110. reason "User does not exist"

Above are the raw data of my search. The sourece=UDP port sourcetype=syslog and index=syslog. I need to create fields "user" and "reason". May i know what regex command can i use and reflect it in my transforms.conf and props.conf files.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-31-2015 08:02 AM

You can add this to your props.conf 

EXTRACT-fields = Login failed for (?:an|user) (?<User>.+) from IP.*reason \"(?<Reason>[^\"]+)

This should give you both User and reason extracted.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎08-31-2015 08:02 AM

You can add this to your props.conf 

EXTRACT-fields = Login failed for (?:an|user) (?<User>.+) from IP.*reason \"(?<Reason>[^\"]+)

This should give you both User and reason extracted.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2015 08:29 AM

This is probably better than my answer. I would improve it by making the first group non-capturing (?:an|user).

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-31-2015 09:05 AM

Thanks Richard for the suggestion. Implemented.

0 Karma
Reply
Solved! Jump to solution

SridharS
Path Finder
‎09-01-2015 08:37 AM

HI, EXTRACT-fields = Login failed for (?:an|user) (?.+) from IP.*reason \"(?[^\"]+) this regex work. Thank you. I made it through splunk web -> settings->fields

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2015 09:13 AM

If it works, please accept an answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-31-2015 07:55 AM

This regex string will extract the user and reason text. In the case of "unknown user", the user field will be empty.

for (?:.*?)user (?<user>\w*)\s*from.*reason \"(?<reason>[^\"]*)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

SridharS
Path Finder
‎09-01-2015 08:49 AM

Sep 1 11:42:58 serverA.com Sep 1 21:12:58 [serverA: rshd_0:debug]: netsupport@[192.100.200.81_4177]:IN:ssh2 shell:SSH INPUT COMMAND is vfiler run serverB df -m
Sep 1 11:42:53 serverA.com Sep 2 01:42:53 [serverA:rshd_0:debug]: netsupport@[192.100.200.76_62046]:IN:ssh2 shell:SSH INPUT COMMAND is vfiler run ServerBrt igroup show

Above is the raw data of my search. I need to extract the field INPUT COMMAND. I tried this with some regex expression, but am not a genius to find it asap. Am struggling with this can someone help me in this and if possible can you please describe which value or symbol represents what in this command. thanks in advance.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎09-01-2015 10:58 AM

Use following regex

INPUT COMMAND is (?<Command>.*)
0 Karma
Reply
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...