We have Splunk setup in our firm and our application logs writes TLS connections information that span across multiple lines and splunk treats every line as message.
Example of Log:
2022-05-07 20:06:24.712 SSL accepted cipher=ECDHE-RSA-AES256-GCM-SHA384 2022-05-07 20:06:24.712 Connection protocol=TLSv1.2 2022-05-07 20:06:24.716 Dump of user cache: 2022-05-07 20:06:24.716 LDAP Cache: User 'user1' is a member of group(s): 2022-05-07 20:06:24.717 'xxxx-tibems-aaaa-prod-rdr' 2022-05-07 20:06:24.717 LDAP Cache: User 'auser2' is a member of group(s): 2022-05-07 20:06:24.717 'xxxx-tibems-yyyy-prod-wtr' 2022-05-07 20:06:24.717 LDAP Cache: User 'ad_cibgvaprod_rdr' is a member of group(s): 2022-05-07 20:06:24.717 'xxxx-tibems-yyyy-prod-rdr' 2022-05-07 20:06:24.717 LDAP Cache: User 'ad_vcsmonprod_adm' is a member of group(s): 2022-05-07 20:06:24.717 'xxxx-tibems-bbbb-prod' 2022-05-07 20:06:24.717 'xxxx-tibems-aaaa-prod-shutdown' 2022-05-07 20:06:24.717 [
[email protected]]: Connected, connection id=21879, client id=<none>, type: queue, UTC offset=2
Here line starts with "SSL accepted cipher=" and ends with "
[email protected]]: Connected,"
I would like timecharts cipher (ECDHE-RSA-AES256-GCM-SHA384), user (user1), Server (server1.svr.us.example.net)
Stats like follows
Date Hour Cipher User Server Count
10-10-20 10:00 ECDHE-RSA-AES256-GCM-SHA384) user1 server1 200
Please let me know if there an elegant solution to this,
Kannan
... View more