field extraction for error message

Hema_Nithya · ‎11-27-2023

I want to extract the following information make it as a field as "error message" .

index=os source="/var/log/syslog" "*authentication failure*" OR "Generic preauthentication failure"

Events example :

Nov 28 01:02:31 server1 sssd[ldap_child[12010]]: Failed to initialize credentials using keytab [MEMORY:/etc/krb5.keytab]: Generic preauthentication failure. Unable to create GSSAPI-encrypted LDAP connection.

Nov 28 01:02:29 server2 proxy_child[1939385]: pam_unix(system-auth-ac:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.177.46.57 user=hippm

bowesmana · ‎11-27-2023

What defines the start and end of the error text in each of those examples and how much of that do you want to get in error_message

You could very simply do this

| rex "\]:\s(?<error_message>.*)"

which would take everything after the ]: to the end of the event

field extraction for error message

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation

field extraction for error message

field extraction

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A