Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Is this the correct way to extract successful and ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sureshsala
Explorer
04-19-2016
07:02 AM
I need help with the regular expression for field extraction of login status:
Successful:
source="/var/log/secure" | rex field=_raw " user (?[^ ]+)"| search user="*" | chart count BY host,user
Failed:
source="/var/log/secure" | rex field=_raw " invalid user (?[^ ]+)"| search user="*" | chart count BY host,user
Is this the right way to do it, or there is a better way?
Please help.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-19-2016
11:44 AM
Assuming your regex is correctly extracting the users, I would try like this (I would always throw the index and sourcetype as well)
Successfull
index=yourIndex sourcetype=yourSourcetype source="/var/log/secure" "session opened for user " | rex field=_raw "session opened for user (?<user>[^ ]+)" | chart count BY host,user
Failed
index=yourIndex sourcetype=yourSourcetype source="/var/log/secure" fail OR invalid | rex field=_raw " invalid user (?<user>[^ ]+)" | chart count BY host,user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-19-2016
11:44 AM
Assuming your regex is correctly extracting the users, I would try like this (I would always throw the index and sourcetype as well)
Successfull
index=yourIndex sourcetype=yourSourcetype source="/var/log/secure" "session opened for user " | rex field=_raw "session opened for user (?<user>[^ ]+)" | chart count BY host,user
Failed
index=yourIndex sourcetype=yourSourcetype source="/var/log/secure" fail OR invalid | rex field=_raw " invalid user (?<user>[^ ]+)" | chart count BY host,user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sureshsala
Explorer
04-20-2016
12:13 AM
@somesoni2 Awesome, thanks a lot but failed regex is added NULL user and I am unable to figure out.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sureshsala
Explorer
04-20-2016
01:01 AM
Answer:
source="/var/log/secure" input_userauth_request AND (fail OR invalid) | rex field=_raw " invalid user (?[^ ]+)" | chart count BY host,user
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
04-19-2016
11:18 AM
What does the log entry look like? Can you share one event with successful logon and one with failed logon?
Get Updates on the Splunk Community!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
The Transformative Power of AI and ML in Enhancing Observability
In the realm of IT operations, the ...
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
