Solved: create field for syslog raw data

SridharS · ‎08-31-2015

Aug 31 10:06:32 serverA.com Aug 31 16:06:32 [serverA: HTTPPool02:debug]: sridhar:AUTH:error:Login failed for user sridhar from IP 10.100.150.110. reason "User not authenticated"

Aug 31 10:06:32 ServerB.com Aug 31 22:06:32 [ServerB:HTTPPool03:debug]: netsupport:AUTH:error:Login failed for an unknown user from IP 11.200.10.110. reason "User does not exist"

Above are the raw data of my search. The sourece=UDP port sourcetype=syslog and index=syslog. I need to create fields "user" and "reason". May i know what regex command can i use and reflect it in my transforms.conf and props.conf files.

somesoni2 · ‎08-31-2015

You can add this to your props.conf

EXTRACT-fields = Login failed for (?:an|user) (?<User>.+) from IP.*reason \"(?<Reason>[^\"]+)

This should give you both User and reason extracted.

View solution in original post

somesoni2 · ‎08-31-2015

You can add this to your props.conf

EXTRACT-fields = Login failed for (?:an|user) (?<User>.+) from IP.*reason \"(?<Reason>[^\"]+)

This should give you both User and reason extracted.

richgalloway · ‎08-31-2015

This is probably better than my answer. I would improve it by making the first group non-capturing (?:an|user).

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎08-31-2015

Thanks Richard for the suggestion. Implemented.

SridharS · ‎09-01-2015

HI, EXTRACT-fields = Login failed for (?:an|user) (?.+) from IP.*reason \"(?[^\"]+) this regex work. Thank you. I made it through splunk web -> settings->fields

richgalloway · ‎08-31-2015

If it works, please accept an answer.

---
If this reply helps you, Karma would be appreciated.

richgalloway · ‎08-31-2015

This regex string will extract the user and reason text. In the case of "unknown user", the user field will be empty.

for (?:.*?)user (?<user>\w*)\s*from.*reason \"(?<reason>[^\"]*)

---
If this reply helps you, Karma would be appreciated.

SridharS · ‎09-01-2015

Sep 1 11:42:58 serverA.com Sep 1 21:12:58 [serverA: rshd_0:debug]: netsupport@[192.100.200.81_4177]:IN:ssh2 shell:SSH INPUT COMMAND is vfiler run serverB df -m
Sep 1 11:42:53 serverA.com Sep 2 01:42:53 [serverA:rshd_0:debug]: netsupport@[192.100.200.76_62046]:IN:ssh2 shell:SSH INPUT COMMAND is vfiler run ServerBrt igroup show

Above is the raw data of my search. I need to extract the field INPUT COMMAND. I tried this with some regex expression, but am not a genius to find it asap. Am struggling with this can someone help me in this and if possible can you please describe which value or symbol represents what in this command. thanks in advance.

somesoni2 · ‎09-01-2015

Use following regex

INPUT COMMAND is (?<Command>.*)

create field for syslog raw data

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!