Hi everyone
I'm new splunk, I'm try to extract fields called username, clientip.
But some row of data start with "Invalid user (username)" , some row has only (username).
How can I create regex for this pattern data?
Sorry for my english 🙂
Thanks
This works fine for me. (things before the rex are just to generate sample data)
| gentimes start=-1 | eval temp="Thu Sep 29 2015 00:00:00 mailsv1 sshd[5276]: Failed password for invalid user appserver from 100.890.03.34 port 3351 ssh2#Thu Sep 29 2015 00:00:00 mailsv1 sshd[5276]: Failed password for root from 100.890.03.34 port 3351 ssh2" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw
| rex "^(?:[^\s\n]* ){10}(invalid user )*(?P<username>\w+) from (?P<clientip>[^ ]+)"
Thanks everyone who came to help me.
This works fine for me. (things before the rex are just to generate sample data)
| gentimes start=-1 | eval temp="Thu Sep 29 2015 00:00:00 mailsv1 sshd[5276]: Failed password for invalid user appserver from 100.890.03.34 port 3351 ssh2#Thu Sep 29 2015 00:00:00 mailsv1 sshd[5276]: Failed password for root from 100.890.03.34 port 3351 ssh2" | table temp | makemv temp delim="#" | mvexpand temp | rename temp as _raw
| rex "^(?:[^\s\n]* ){10}(invalid user )*(?P<username>\w+) from (?P<clientip>[^ ]+)"
Hi somesoni2,
Now I can extract this pattern by using your regex. Thanks you for your your advice.
Something like this should do:
.. rex field=_raw "Invalid user (?<InvalidUser>.*\").*\" ..
Can you provide a snippet of the data in text format, with both formats included?
update: sorry scratch below, I didn't see the jpg
Better yet you can use the IFX tool to extract on your own...
http://docs.splunk.com/Documentation/Splunk/6.3.0/Knowledge/ExtractfieldsinteractivelywithIFX