Splunk Search

Regex for Dell Quest TPAM logs ?

plarsenDST
Explorer

Has anyone done any work with Dell/Quest TPAM logs? Not enough experience with regex to know where to start.

As an example for UserName: sometimes it is one word sometimes it is two words so having Splunk Build the regex does not work real well.

Trying to learn so what kind of Regex will take next word or two words before it see's another word with a trailing colon: which would be the next key pair, like Operation: or ObjectType: in the log examples below.

Aug 22 03:41:41 TPAMHOST1 PAR[72]: Source: TPAMCONSOLE UserName: Automation Engine Operation: Timed Out ObjectType: Authenticated Session Target: id12345 Role: N/A Failed? 0 OtherInfo: Inactive for 40 minutes

Aug 22 03:29:19 TPAMHOST1 PAR[61]: Source: TPAMCONSOLE UserName: id12345 Operation: Logout ObjectType: Authentication Target: id12345 Role: N/A Failed? 0 OtherInfo: Inactive for 14 seconds. From address 10.10.10.10

Tags (2)
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Use the keyword that follows as a delimiter. See if this regex helps.

Source:\s(?<Source>.*?)\sUserName:\s(?<UserName>.*?)\sOperation:\s(?<Operation>.*?)\sObjectType:\s(?<ObjectType>.*?)\sTarget:(?<Target>.*?)\sRole:\s(?<Role>.*?)\sFailed\?(?<Failed>.*?)\sOtherInfo:\s(?<OtherInfo>.*)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Use the keyword that follows as a delimiter. See if this regex helps.

Source:\s(?<Source>.*?)\sUserName:\s(?<UserName>.*?)\sOperation:\s(?<Operation>.*?)\sObjectType:\s(?<ObjectType>.*?)\sTarget:(?<Target>.*?)\sRole:\s(?<Role>.*?)\sFailed\?(?<Failed>.*?)\sOtherInfo:\s(?<OtherInfo>.*)
---
If this reply helps you, Karma would be appreciated.
0 Karma

plarsenDST
Explorer

Thanks for the help.

Removed the \sFailed\?(?<Failed>.*?) part as that was the Role: value. So the rest is as you provided which seems to be doing what it is supposed to.

Thanks again.

Source:\s(?<Source>.*?)\sUserName:\s(?<UserName>.*?)\sOperation:\s(?<Operation>.*?)\sObjectType:\s(?<ObjectType>.*?)\sTarget:(?<Target>.*?)\sRole:\s(?<Role>.*?)\sOtherInfo:\s(?<OtherInfo>.*)
0 Karma

lfedak_splunk
Splunk Employee
Splunk Employee

Hey @plarsenDST, can you accept the Answer if it worked? You and Rich will both receive karma points that way!

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...