Solved: Identify field command with regex

dfigurello · ‎01-15-2014

Hey Splunkers,

Could you help me about identify a field. I don't have experience with regex. In my case I have firewalls log, for example:

command 'top '
command 'delete user teste '
command 'edit system login '
command 'commit '
command 'set login user teste uid 2006 class super-user authentication plain-text-password '

I want to indentify the field "command"

command = top
command = delete user teste
command = edit system login
command = commit

I tried with IFX but not works. Anyone have any idea about that?

Tks Splunkers.

theouhuios · ‎01-15-2014

<yoursearch>|rex field=_raw "command\s+\'(?<command>.*)\'$"

Try the above rex. Is there a space after command and ' ? If not then this should work

 <yoursearch>|rex field=_raw "command\'(?<command>.*)\'$"

View solution in original post

theouhuios · ‎01-15-2014

<yoursearch>|rex field=_raw "command\s+\'(?<command>.*)\'$"

Try the above rex. Is there a space after command and ' ? If not then this should work

 <yoursearch>|rex field=_raw "command\'(?<command>.*)\'$"

dfigurello · ‎01-15-2014

Worked! Tks theouhuios!

dfigurello · ‎01-15-2014

Follow the logs:

Jan 15 11:43:33 10.30.0.43 Jan 15 11:27:08 SRX.com.br mgd[68527]: UI_CMDLINE_READ_LINE: User 'tbrazil', command 'exit '
Jan 15 11:42:23 10.30.0.43 Jan 15 11:25:58 SRX.com.br mgd[68527]: UI_CMDLINE_READ_LINE: User 'tbrazil', command 'commit and-quit '
Jan 15 11:41:55 10.30.0.43 Jan 15 11:25:30 SRX.com.br mgd[68527]: UI_CMDLINE_READ_LINE: User 'tbrazil', command 'commit check '
Jan 15 11:41:49 10.30.0.43 Jan 15 11:25:24 SRX.com.br mgd[68527]: UI_CMDLINE_READ_LINE: User 'tbrazil', command 'set interfaces fe-0/0/7 description multiplan '

Tks.

gfreitas · ‎01-15-2014

I think you should try this: \'(.*?)\'

It worked for me! 😉

Identify field command with regex

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms