Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

teach splunk to read data from log

fisk12
Path Finder
‎11-14-2010 09:04 PM

I have syslog from a server sending me logs from /var/log/secure (ssh). But splunk can't seem to read out some stuff from it (ex src)

The packet looks like this.

Nov 14 21:50:33 172.28.2.5 sshd[984]: Accepted password for apa from 192.168.1.5 port 42957 ssh2 tag::host=test Options| host=192.168.1.1 Wiki Options

I want the src (192.168.1.5) to appear in the "src" column.

Tags (2)
0 Karma
Reply

fisk12
Path Finder
‎11-19-2010 03:41 PM

Hmm, but say that i monitor all events in a 15 minutes interval, i have some stuff from the firewall that shows up in the "src" field. I also log some stuff from one of the linux server, and i want it to be able to show the source of the ssh stuff (or from the apache server) in the same "src" field as the firewall.

0 Karma
Reply

Genti
Splunk Employee
Splunk Employee
‎11-16-2010 12:28 AM

IFX works quite well, for me, but if it seems to be failing for you and you are unable to define the regex correctly through it, you could use a custom made regex and use the props.conf way of extracting fields. This is also very well documented at: http://www.splunk.com/base/Documentation/4.1.5/Knowledge/Createandmaintainsearch-timefieldextraction...

0 Karma
Reply

treinke
Builder
‎11-15-2010 01:26 PM

Sounds like you want to do some field extraction. You can give Splunk the field values and then give the results a field name. This is well documented and can be found at:

http://www.splunk.com/base/Documentation/4.1.5/User/InteractiveFieldExtractionExample

There are no answer without questions
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...