I have managed to get our linux hosts' lastlog data in our Splunk> (version 5.0.2, build 149561) easily enough, but what I am trying to accomplish (with any additional app installs, thanks) is "chop up" the lastlog results into a
chart by host, user, ip and date.
I tried at Extract Fields on the results and could NOT get it to recognize a list of 40 names?
20 Most Common and 20 'Random' names either together or separately both return "No regex could be learned. Try providing different examples or restriction."
I tried the actual names from "sample events" and it just barks the same message.
Even the simple names list (Lucy Ricky Fred Ethel) fails.
We have the Splunk_TA_nix installed.
Sample data via splunk shows:
USERNAME FROM LATEST
root xx.xxx.61.95 Jun 5 06:15:58 2013
some_user isp-24-249-207- Jun 4 08:03:29 2013
another_user what.ever Jun 2 13:00:15 2013
Edit: Wed Jun 05, 2013 - 1:01:38 PM EDT
Extracted Fields vs Indexed Fields...so I want to extract the usernames from the output of
sourcetype="lastlog" host="*"
Fri Jun 07, 2013 - 2:22:40 PM EDT
Some progress...
\w+\s+\w+\s+\w+\s+(?P [^ ]+)
but this only grabs "root" and one other username
so, still banging away...
Thanks
... View more