Splunk Search

How do you extract multiple strings of text using rex?

TechnicalRS
Engager

I have VPN access connect/disconnect events from a Meraki security appliance being fed into Splunk. They show up in Splunk as:

Jun  2 11:13:37 10.0.0.253 1
1401722017.518634469 Site1_Firewall events client_vpn_connect user id 'username@domainname.com' local ip
192.168.111.165 connected from 10.2.30.44

Jun  2 11:10:02 10.0.0.253 1
1401721802.723896809 Site1_Firewall events client_vpn_disconnect user id 'username@domainname.com' local ip
192.168.111.165 connected from 10.2.30.44

I am needing this data to be less cluttered for a report that shows when users are accessing the VPN, and would only really need something like:

Jun 2 11:10:02 connect username@domainname.com 10.2.30.44
Jun 2 11:13:55 disconnect username@domainname.com 10.2.30.44

What would be the best method of extracting only the needed information from the logged message? I have read up on the rex command in splunk and while it seems like this would be where I need to be looking, I have absolutely no experience with how to write regular expressions. If anyone can offer a suggestion on how to accomplish this (as well as tips/reading material for understanding and writing regular expressions!) I would be very appreciative

Tags (3)
0 Karma
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try something like this.

Your base search | rex "client_vpn_(?<Action>[^ ]*) user id '(?<UserId>[^']*)'" | rex " connected from (?<IPAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval Message=strftime(_time,"%B %d %H:%M:%S")." ".Action." ".UserId." ".IPAddress | table Message

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try something like this.

Your base search | rex "client_vpn_(?<Action>[^ ]*) user id '(?<UserId>[^']*)'" | rex " connected from (?<IPAddress>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" | eval Message=strftime(_time,"%B %d %H:%M:%S")." ".Action." ".UserId." ".IPAddress | table Message

somesoni2
SplunkTrust
SplunkTrust

TechnicalRS
Engager

That works perfectly. Thank you very much!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...