Hi there, new to splunk.
I have some records that take two different forms (both denote ssh login failed). I want to make a chart of the top offending remote IP addresses, Can I extract the IP in the same query from these strings even though they have a different number of words preceding it?
Mar 27 19:45:22 10.20.10.160 Mar 27 19:45:22 monitor-demo sshd[26449]: Failed password for root from 116.10.191.209 port 2024 ssh2
Mar 27 19:45:22 10.20.10.160 Mar 27 19:45:22 monitor-demo sshd[26447]: Failed password for invalid user admin from 116.10.191.209 port 2016 ssh2
Hi kevinlong206,
you can do something like this if the IP is always after from
and before port
:
.... | rex field=_raw "from\s(?<theBadGuy>.+)\sport" | ....
or to make sure you only grab numbers
.... | rex field=_raw "from\s(?<theBadGuy>(\d+\.){3}\d+)\sport" | ...
this will create a new field called theBadGuy
which can be used further.
hope this helps ...
cheers, MuS