Splunk Search

How to create a table from syslog event?

wiredmonkey
Explorer

I want to create a table from the following syslog entry:

Aug 14 15:37:34 192.168.10.18 Aug 14 15:37:33 WestAnnex1 MAC Authentication failed for [0013.72eb.7330 ] on port 0/1/47 (Invalid User)

The problem I'm having is the fields I'm interested in aren't being created (I'm new to splunk, forgive me) I want the following table:

Time/Date
Source (WestAnnex1 for this example, maybe be able to re-label this to West Annex Switch)
Mac Address (0013.72eb.7330 for this example)
Port (0/1/47 for this example)

Hope I'm making sense and someone can help.
Thanks!

Tags (2)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

your base search <<index=A sourcetype=B...>> | rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port

Date/Time should already be extracted as _time by Splunk.

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

your base search <<index=A sourcetype=B...>> | rex "(?i)^(?:[^ ]* ){7}(?P<Source>[^ ]+).*\[(?P<MAC_Address>[^\]]+)\].*\sport\s(?P<Port>[^\s]+)" | table _time Source MAC_Address Port

Date/Time should already be extracted as _time by Splunk.

wiredmonkey
Explorer

Well, just as you said, a space happened and it messed up the table. See below for the raw syslog:

Sep 2 07:53:25 192.168.10.18 Sep 2 07:53:24 WestAnnex1 MAC Authentication failed for [0030.a103.b3f4 ] on port 0/1/48 (Invalid User)
Aug 29 13:38:49 192.168.10.18 Aug 29 13:38:49 WestAnnex1 MAC Authentication failed for [0050.b980.10c9 ] on port 0/1/47 (Invalid User)

I changed the 7 to a 9 before Source and that fixed it but it will just go back when we hit Sept 10

Thoughts?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

No don't have to, unless the value contains a space(currently I am taking all characters before a space is encountered).

0 Karma

wiredmonkey
Explorer

That worked like charm! Thanks!

I ended up doing this:

index=main sourcetype=syslog mac authentication | ....

One more quick question, if the source (WestAnnex1) changes, that is it says NorthAnnex1 (more characters and/or less) will I have to alter anything?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...