Hi @PickleRick , One index is missing. But I got what you said. This works. Thank you so much, I really appreciate your help. Cheers ... View more

Hi @bowesmana , This query is working. Thank you so much ! Really appreciate your help.  Cheers ... View more

Hi @IZ88 , How are you doing ? I need a help from you. Could you please help me to generate a single query from these 3 separate queries ? The index is same in 1 & 2 queries. The source types of all 3 are different. Thank you. 1. index="abc_oracle" source=audit_19c sourcetype="audit" | eval "Database Modifications:" = "Modification on " + host, "Date and Time" = TIMESTAMP, "Type" = SQL_TEXT, "User" = DB_USER , "Source" = sourcetype | search "Database Modifications:"="Modification on *" NOT select | rex field=_raw "SQL_TEXT=\S(?P<Type>\W?......)\s" | rex field=_raw "DB_USER=(?P<UserName>..........)" | table "Date and Time", "Database Modifications:" ,"Type", "User", "Source"   2. index="abc_oracle" source=audit_row_19c sourcetype="audit" | eval "Database Modifications:" = "Modification on " + host, "Date and Time" = TIMESTAMP, "Type" = SQL_TEXT, "User" = DB_USER , "Source" = sourcetype | search "Database Modifications:"="Modification on *" NOT select | rex field=_raw "SQL_TEXT=\S(?P<Type>\W?......)\s" | rex field=_raw "DB_USER=(?P<UserName>..........)" | table "Date and Time", "Database Modifications:" ,"Type", "User", "Source"   3. index="abc_11g" source=oracle_11g sourcetype="audit" | eval "Database Modifications:" = "Modification on " + host, "Date and Time" = TIMESTAMP_qab, "Type" = SQL_TEXT, "User" = DB_USER , "Source" = sourcetype | search "Database Modifications:"="Modification on *" NOT select | rex field=_raw "SQL_TEXT=\S(?P<Type>\W?......)\s" | rex field=_raw "DB_USER=(?P<UserName>..........)" | table "Date and Time", "Database Modifications:" ,"Type", "User", "Source"   Thank you   ... View more

Hi @IZ88 , I created the query as below and got the results. (index=windows_log host=abc-05-hiddencam entered*) OR (index=windows_log host= abc-05-hiddencam logged*) | rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\d+-\w+).*(?<status>service\s\w+\s\w+\s\w+\s\w+)" | rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.*"   | eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status | table "Hidden Cam Monitoring"   The query executes and gives the results in one table.  1st Regex data:  Dec 14 20:31:05 abc-05-hiddencam MSWinEventLog#0111#011System#011622650#011Tue Dec 14 20:31:05 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The Google Update Service (gupdate) service entered the stopped state.#01176625 Dec 14 20:27:53 abc-05-hiddencam MSWinEventLog#0111#011System#011622648#011Tue Dec 14 20:27:53 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.#01176624 2nd Regex data: Dec 13 09:03:18 abc-05-hiddencam MSWinEventLog#0111#011Security#011620683#011Mon Dec 13 09:03:16 2021#0114634#011Microsoft-Windows-Security-Auditing#011abc-05-hiddencam\Alis#011N/A#011Success Audit#011abc-05-hiddencam#011Logoff#011#011An account was logged off.    Subject:   Security ID:  S-1-5-21-193828115-2933347444-2245271187-1049   Account Name:  Alis   Account Domain:  abc-05-hiddencam   Logon ID:  0x8ac469ffa    Logon Type:   10    This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer.#011304150 Dec 13 09:00:49 abc-05-hiddencam MSWinEventLog#0111#011Security#011620638#011Mon Dec 13 09:00:47 2021#0114624#011Microsoft-Windows-Security-Auditing#011abc-05-hiddencam\Alis#011N/A#011Success Audit#011abc-05-hiddencam#011Logon#011#011An account was successfully logged on.    Subject:   Security ID:  S-1-5-18   Account Name:  abc-05-hiddencam   Account Domain:  WORKGROUP   Logon ID:  0x3e7    Logon Type:   10    New Logon:   Security ID:  S-1-5-21-193828115-2933347444-2245271187-1049   Account Name:  Alis   Account Domain: Now the only issue is when I amend the second Regex to capture the user as mentioned below:   | rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.+Account\sName\S+\s+(?<user>\w+).+"   And when I add "user" to the eval and table, the table does not extract the queries related to the first regex.   Appreciate if you can suggest me a way.    Thank you  ... View more

Hi @gcusello , Thank you for trying to help. However, it did not work. I can provide you some sample log data for both so it is easy to understand what I am trying to achieve. Please feel free to rename the fields (date, hostname, status) in my regex when combining the queries so it does not confuse Splunk. Query 1: index=windows_log host=abc-05-hiddencam logged* | rex field=_raw  "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.*" | eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status | table "Hidden Cam Monitoring" Sample Data: Dec 11 13:35:05 abc-05-hiddencam EventLog#0111#011Security#011618268#011Sat Dec 11 13:35:03 2021#0114624#011Microsoft-Windows-Security-Auditing#011NT AUTHORITY\SYSTEM#011N/A#011Success Audit#011abc-05-hiddencam#011Logon#011#011An account was successfully logged on.    SubjectPackage Name (NTLM only): -   Key Length:  0    This event is generated when a logon session is Dec 11 13:30:34 abc-05-hiddencam EventLog#0111#011Security#011618223#011Sat Dec 11 13:30:31 2021#0114624#011Microsoft-Windows-Security-Auditing#011NT AUTHORITY\SYSTEM#011N/A#011Success Audit#011abc-05-hiddencam#011Logon#011#011An account was successfully logged on.    Subject: Dec 10 06:11:55 abc-05-hiddencam EventLog#0111#011Security#011616614#011Fri Dec 10 06:11:52 2021#0114634#011Microsoft-Windows-Security-Auditing#011abc-05-hiddencam\operations#011N/A#011Success Audit#011abc-05-hiddencam#011Logoff#011#011An account was logged off.    Subject   Query 2: index=windows_log host=abc-05-hiddencam entered* | rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\d+-\w+).*(?<status>service\s\w+\s\w+\s\w+\s\w+)" | eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status | table "Hidden Cam Monitoring" Sample Data: Dec 11 19:10:38 abc-05-hiddencam EventLog#0111#011System#0119#011Sat Dec 11 19:10:38 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The WinHTTP Web Proxy Auto-Discovery Service service entered the stopped state.#01175830 Dec 11 18:55:46 abc-05-hiddencam EventLog#0111#011System#011618596#011Sat Dec 11 18:55:46 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The Google Update Service (gupdate) service entered the stopped state.#01175829 Dec 11 18:52:38 abc-05-hiddencam EventLog#0111#011System#011618594#011Sat Dec 11 18:52:38 2021#0117036#011Service Control Manager#011N/A#011N/A#011Information#011abc-05-hiddencam#011None#011#011The WinHTTP Web Proxy Auto-Discovery Service service entered the running state.#01175828 Thank you so much for your help. ... View more

Hi @IZ88 , I hope you are doing really well and thank you for helping me solve my previous issues. I now learnt how to build up regex queries on my own after your explanations and analysis of the queries you built for me, a huge thank you for that.  I have another issue now, which I hope you would help me get solved.  I have 2 separate queries that I built using Rex. 1. This query captures the logg on and logg off status of the service. Query: index=windows_log host=abc-05-hiddencam logged* | rex field=_raw  "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\w+-\w+).+Audit\S+\s\w+\s\w+\s(?<status>.+).\s\s\s\sSub.*" | eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status | table "Hidden Cam Monitoring" 1. Sample Output: Dec 10 13:35:12 : abc-05-hiddencam successfully logged on Dec 10 06:19:24 : abc-05-hiddencam successfully logged on Dec 10 06:17:01 : abc-05-hiddencam logged off Dec 10 06:11:55 : abc-05-hiddencam logged off   2. This query captures the service entering the start or stop status. Query: index=windows_log host=abc-05-hiddencam entered* | rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+)\s(?<hostname>\w+-\d+-\w+).*(?<status>service\s\w+\s\w+\s\w+\s\w+)" | eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status | table "Hidden Cam Monitoring"   2. Sample Output: Dec 10 16:10:04 : abc-05-hiddencam service entered the stopped state Dec 10 15:31:31 : abc-05-hiddencam service entered the stopped state Dec 10 15:28:19 : abc-05-hiddencam service entered the running state Dec 10 15:28:18 : abc-05-hiddencam service entered the running state   My issue is, I want to combine above queries into a single query and get an output in a table as shown below. 3. Expected sample results: Dec 10 13:35:12 : abc-05-hiddencam successfully logged on Dec 10 16:10:04 : abc-05-hiddencam service entered the stopped state Dec 10 06:19:24 : abc-05-hiddencam successfully logged on Dec 10 15:28:18 : abc-05-hiddencam service entered the running state Dec 10 06:17:01 : abc-05-hiddencam logged off Dec 10 15:28:19 : abc-05-hiddencam service entered the running state Dec 10 06:11:55 : abc-05-hiddencam logged off Dec 10 15:31:31 : abc-05-hiddencam service entered the stopped state ( The results are going to be different to above based on the timestamp and the events. What I mean here is the results come mixing together in a single table as and when they take place.) Thank you heaps in advance.  ... View more

Hi @IZ88 Thank you so much for the help. 😀 ... View more

Woww @IZ88 . This fixed the issue and I was missing some parts of the result. Once I got this missing piece from you, it all fallen in place.  Thank you so much.... ... View more

Hi @IZ88  I did it : (?<Date>\w{3}\s \d+ \d+:\d+:\d+) Then the query shifted to capture only double dot string. I wonder if there is a way to capture both formats ?   Thank you ... View more

Hi @IZ88 , You are the only person in the splunk forum who can understand what I want and can exactly deliver. Thank you so much.  However, I still have a trouble getting the thing sorted. I found that there are two time formats as shown in the below image. So when I ran the following command only a specific time is captured.  Can you please help me ? This is https://regex101.com/ screenshot. The query can only capture the single dot time stamp.   Thank you.   ... View more

Hi @IZ88 , You are the only person in the splunk forum who can understand what I want and can exactly deliver. Thank you so much.  However, I still have a trouble getting the thing sorted. I found that there are two time formats as shown in the below image. So when I ran the following command only a specific time is captured.  Can you please help me ? This is https://regex101.com/ screenshot. The query can only capture the single dot time stamp.   Thank you.   ... View more

Hi @IZ88  Thank you for the append query.  I am trying to build the rex command. Let's say this one.. Oct 15 08:17:45 brg-c-1.com.au 8279: Oct 15 2021 08:17:44.820 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:John logged command:!exec: enable Oct 15 08:17:35 brg-c-1.com.au 8278: Oct 15 2021 08:17:34.082 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:lili logged command:!exec: enable failed Sep 15 23:29:55 gsw-r-4.com.au 466: Sep 15 23:29:54.009: %PARSER-5-CFGLOG_LOGGEDCMD: User:Khan logged command:!exec: enable Aug 12 15:18:37 edc-r-4.com.au 02: Aug 12 15:18:36.472: %PARSER-5-CFGLOG_LOGGEDCMD: User:Khan logged command:!exec: enable Aug 11 03:31:05 ctc-s.com.au 134: Aug 10 17:31:04.859: %PARSER-5-CFGLOG_LOGGEDCMD: User:cijs logged command:!exec: enable Jan 29 11:30:58 brg-c-1.com.au 2082: Jan 29 2021 11:30:57.141 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:chick logged command:!exec: enable failed I build the query like this to create a table and capture who used the enabled command on which host on which date.  But it does not seem to be working. If I can get this query right I think I can apply it in the append you showed me. Can you please help me to figure out what is wrong with this ? index= networking   | rex field=_raw "(?<Date>\w{3} \d+ \d+:\d+:\d+)(?<user>\w+)(:\d+ (?<hostname>.+) \d+: \w+)(?<command>)" | search command="enable" | table Date hostname User Command ... View more

Hi @IZ88, Could you please help me ? I really appreciate.  I run the below 1,2,3 queries on the given datasets to find out which users ran the enable command on which host at what time: 1. index= networking user* enable* host* Oct 15 08:17:45 brg-c-1.com.au 8279: Oct 15 2021 08:17:44.820 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:John logged command:!exec: enable Oct 15 08:17:35 brg-c-1.com.au 8278: Oct 15 2021 08:17:34.082 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:lili logged command:!exec: enable failed Sep 15 23:29:55 gsw-r-4.com.au 466: Sep 15 23:29:54.009: %PARSER-5-CFGLOG_LOGGEDCMD: User:Khan logged command:!exec: enable Aug 12 15:18:37 edc-r-4.com.au 02: Aug 12 15:18:36.472: %PARSER-5-CFGLOG_LOGGEDCMD: User:Khan logged command:!exec: enable Aug 11 03:31:05 ctc-s.com.au 134: Aug 10 17:31:04.859: %PARSER-5-CFGLOG_LOGGEDCMD: User:cijs logged command:!exec: enable Jan 29 11:30:58 brg-c-1.com.au 2082: Jan 29 2021 11:30:57.141 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:chick logged command:!exec: enable failed 2. index=linux_logs host=edc-03-tacacs enable* Oct 26 12:56:13 egc-03-ts tc_plus[149]: enable query for 'kim' tty86 from 202.168.5.22 accepted Oct 26 11:33:44 egc-03-ts tc_plus[259]: enable query for 'kim' tty86 from 202.168.5.22 accepted Oct 21 11:35:59 egc-03-ts tc_plus[285]: enable query for 'John' tty86 from 202.168.5.23 accepted Oct 21 11:35:53 egc-03-ts tc_plus[282]: enable query for 'Han' tty86 from 202.168.5.23 rejected 3. index=linux_logs host=gsw-03-tacacs enable* Sep 30 13:35:53 gdw-02-ts tc_plus[143]: 192.168.2.21 James tty1 192.168.6.56 stop task_id=55161 timezone=AEST service=shell start_time=1632972953 priv-lvl=0 cmd=enable Sep 29 12:38:17 gdw-02-ts tc_plus[319]: 192.168.2.24 linda tty1 192.168.5.3 stop task_id=15729 timezone=AEST service=shell start_time=1632883097 priv-lvl=0 cmd=enable Sep 15 22:23:23 gdw-02-ts tc_plus[1649]: 192.168.4.2 Brown tty322 192.168.46.1 stop task_id=2574 timezone=AEST service=shell start_time=1631708603 priv-lvl=0 cmd=enable Sep 9 14:58:32 gdw-02-ts tc_plus[2030]: 192.168.2.29 Gordan tty1 192.168.26.3 stop task_id=14329 timezone=AEST service=shell start_time=1631163512 priv-lvl=0 cmd=enable I tried hard but could not find a query to merge all these data (indexes and hosts) to find out who ran enable command successfully at what time on which host. And get those results to a table look like |table date host user command(enable) status(success) Thank you ... View more

@tread_splunk Thank you for the trying to help me. Actually it captured the dates in some results.  I found the working query:  | rex field=_raw ":\d+ (?<hostname>.+) \d+: \w+" ... View more

@IZ88 Woww....That worked wonders. I really appreciate the explanation.  ... View more

@PickleRick  Actually, what I am doing is generating compliance reports from already onboarded data for GRC purpose.  The data is already there, the data resides in multiple indexes in different formats. I have no control over the way it was extracted.  Now I am trying to extract just the server name so that I can keep building the query. If you can show me a way to extract the server name using any other method (not necessarily regex) that would be grate ? Thank you.   ... View more

Hi @IZ88 , I tried to capture the server names from below data:  Oct 15 08:17:45 brg-c-1.com.au 8279: Oct 15 2021 08:17:44.820 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:John logged command:!exec: enable Oct 15 08:17:35 brg-c-1.com.au 8278: Oct 15 2021 08:17:34.082 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:lili logged command:!exec: enable failed Aug 11 03:31:05 ctc-s.com.au 134: Aug 10 17:31:04.859: %PARSER-5-CFGLOG_LOGGEDCMD: User:cijs logged command:!exec: enable with the following rex command, but it won't work, can you please help me to see what is wrong ? | rex field=_raw "\/(?<hostname>[^_\/]+)[\w\.]+$" Thank you ... View more

Hi @PickleRick, Thank you for your reply. I tried to capture the server names from below data:  Oct 15 08:17:45 brg-c-1.com.au 8279: Oct 15 2021 08:17:44.820 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:John logged command:!exec: enable Oct 15 08:17:35 brg-c-1.com.au 8278: Oct 15 2021 08:17:34.082 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:lili logged command:!exec: enable failed Aug 11 03:31:05 ctc-s.com.au 134: Aug 10 17:31:04.859: %PARSER-5-CFGLOG_LOGGEDCMD: User:cijs logged command:!exec: enable with the following rex command, but it won't work, can you please help me to see what is wrong ? | rex field=_raw "\/(?<hostname>[^_\/]+)[\w\.]+$" Thank you ... View more

Hi @IZ88 champion, I hope you can help me.  I run the below 1,2,3 queries on the given datasets to find out which users ran the enable command on which host at what time: 1. index= networking user* enable* host* Oct 15 08:17:45 brg-c-1.com.au 8279: Oct 15 2021 08:17:44.820 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:John logged command:!exec: enable Oct 15 08:17:35 brg-c-1.com.au 8278: Oct 15 2021 08:17:34.082 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:lili logged command:!exec: enable failed Sep 15 23:29:55 gsw-r-4.com.au 466: Sep 15 23:29:54.009: %PARSER-5-CFGLOG_LOGGEDCMD: User:Khan logged command:!exec: enable Aug 12 15:18:37 edc-r-4.com.au 02: Aug 12 15:18:36.472: %PARSER-5-CFGLOG_LOGGEDCMD: User:Khan logged command:!exec: enable Aug 11 03:31:05 ctc-s.com.au 134: Aug 10 17:31:04.859: %PARSER-5-CFGLOG_LOGGEDCMD: User:cijs logged command:!exec: enable Jan 29 11:30:58 brg-c-1.com.au 2082: Jan 29 2021 11:30:57.141 AEST: %PARSER-5-CFGLOG_LOGGEDCMD: User:chick logged command:!exec: enable failed 2. index=linux_logs host=edc-03-tacacs enable* Oct 26 12:56:13 egc-03-ts tc_plus[149]: enable query for 'kim' tty86 from 202.168.5.22 accepted Oct 26 11:33:44 egc-03-ts tc_plus[259]: enable query for 'kim' tty86 from 202.168.5.22 accepted Oct 21 11:35:59 egc-03-ts tc_plus[285]: enable query for 'John' tty86 from 202.168.5.23 accepted Oct 21 11:35:53 egc-03-ts tc_plus[282]: enable query for 'Han' tty86 from 202.168.5.23 rejected 3. index=linux_logs host=gsw-03-tacacs enable* Sep 30 13:35:53 gdw-02-ts tc_plus[143]: 192.168.2.21 James tty1 192.168.6.56 stop task_id=55161 timezone=AEST service=shell start_time=1632972953 priv-lvl=0 cmd=enable Sep 29 12:38:17 gdw-02-ts tc_plus[319]: 192.168.2.24 linda tty1 192.168.5.3 stop task_id=15729 timezone=AEST service=shell start_time=1632883097 priv-lvl=0 cmd=enable Sep 15 22:23:23 gdw-02-ts tc_plus[1649]: 192.168.4.2 Brown tty322 192.168.46.1 stop task_id=2574 timezone=AEST service=shell start_time=1631708603 priv-lvl=0 cmd=enable Sep 9 14:58:32 gdw-02-ts tc_plus[2030]: 192.168.2.29 Gordan tty1 192.168.26.3 stop task_id=14329 timezone=AEST service=shell start_time=1631163512 priv-lvl=0 cmd=enable I tried hard but could not find a query to merge all these data (indexes and hosts) to find out who ran enable command successfully at what time on which host. And get those results to a table look like |table date host user command(enable) status(success) Could anyone please help me ? Thank you in advance. ... View more

Hi @ITWhisperer @PickleRick , I got the hints from a query builder. It is something like this  | rex field=_raw "(?<date>\w{3} \d+ \d+:\d+:\d+) (?<var_name>.+) (?<lnx_command>\w+): (?<var_name2>\w+) (?<user>\w+): (?<sys_command>.*)" | search sys_command="*rsyslog stop" | table date user <the var_name thats correspond with your server name>  Thank you for trying to help me out. I really appreciate it.  Cheers ... View more

Hi @IZ88 , Thank you. This solved my problem. I marked it as solution and gave you thumbs up. Thank you so much for the help. ... View more