Splunk Search

create field for syslog raw data

SridharS
Path Finder

Aug 31 10:06:32 serverA.com Aug 31 16:06:32 [serverA: HTTPPool02:debug]: sridhar:AUTH:error:Login failed for user sridhar from IP 10.100.150.110. reason "User not authenticated"

Aug 31 10:06:32 ServerB.com Aug 31 22:06:32 [ServerB:HTTPPool03:debug]: netsupport:AUTH:error:Login failed for an unknown user from IP 11.200.10.110. reason "User does not exist"

Above are the raw data of my search. The sourece=UDP port sourcetype=syslog and index=syslog. I need to create fields "user" and "reason". May i know what regex command can i use and reflect it in my transforms.conf and props.conf files.

0 Karma
1 Solution

somesoni2
Revered Legend

You can add this to your props.conf

EXTRACT-fields = Login failed for (?:an|user) (?<User>.+) from IP.*reason \"(?<Reason>[^\"]+)

This should give you both User and reason extracted.

View solution in original post

0 Karma

somesoni2
Revered Legend

You can add this to your props.conf

EXTRACT-fields = Login failed for (?:an|user) (?<User>.+) from IP.*reason \"(?<Reason>[^\"]+)

This should give you both User and reason extracted.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

This is probably better than my answer. I would improve it by making the first group non-capturing (?:an|user).

---
If this reply helps you, Karma would be appreciated.
0 Karma

somesoni2
Revered Legend

Thanks Richard for the suggestion. Implemented.

0 Karma

SridharS
Path Finder

HI, EXTRACT-fields = Login failed for (?:an|user) (?.+) from IP.*reason \"(?[^\"]+) this regex work. Thank you. I made it through splunk web -> settings->fields

0 Karma

richgalloway
SplunkTrust
SplunkTrust

If it works, please accept an answer.

---
If this reply helps you, Karma would be appreciated.
0 Karma

richgalloway
SplunkTrust
SplunkTrust

This regex string will extract the user and reason text. In the case of "unknown user", the user field will be empty.

for (?:.*?)user (?<user>\w*)\s*from.*reason \"(?<reason>[^\"]*)
---
If this reply helps you, Karma would be appreciated.
0 Karma

SridharS
Path Finder

Sep 1 11:42:58 serverA.com Sep 1 21:12:58 [serverA: rshd_0:debug]: netsupport@[192.100.200.81_4177]:IN:ssh2 shell:SSH INPUT COMMAND is vfiler run serverB df -m
Sep 1 11:42:53 serverA.com Sep 2 01:42:53 [serverA:rshd_0:debug]: netsupport@[192.100.200.76_62046]:IN:ssh2 shell:SSH INPUT COMMAND is vfiler run ServerBrt igroup show

Above is the raw data of my search. I need to extract the field INPUT COMMAND. I tried this with some regex expression, but am not a genius to find it asap. Am struggling with this can someone help me in this and if possible can you please describe which value or symbol represents what in this command. thanks in advance.

0 Karma

somesoni2
Revered Legend

Use following regex

INPUT COMMAND is (?<Command>.*)
0 Karma
Get Updates on the Splunk Community!

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...

Splunk Education Goes to Washington | Splunk GovSummit 2024

If you’re in the Washington, D.C. area, this is your opportunity to take your career and Splunk skills to the ...