How to search and extract SSH user accounts which ...

akashjohn · ‎07-13-2016

Hi Team,

I am looking for a Splunk search to get a statistics table output

I am looking for is the SSH user accounts which are logged in with interactive login and note that the user names will be starting with a specific prefix as support_ (support_1, support_2, etc). Could you please let me know how can we achieve this?

sundareshr · ‎07-13-2016

Try this

index=xyz ("sshd" AND "keyboard-interactive/pam for support_*")  | rex "support_(?<support_user>[^\s]+)"  | stats count by support_user

jplumsdaine22 · ‎07-13-2016

Without knowing what fields are available to you, this following search would work:

"Accepted keyboard-interactive/pam for support_*"

If you want to extract the username inline you can try this

"Accepted keyboard-interactive/pam for support_*"  | rex _raw="support_(?<support_user>[^\s]+)"

And then append whatever stats/timechart etc search you wish after that, eg

"Accepted keyboard-interactive/pam for support_*"  | rex _raw="support_(?<support_user>[^\s]+)"  | stats count by user

renjith_nair · ‎07-13-2016

Do you have some sample data and field names? If you just want to exclude specific strings , just try

index=yourindex source=yoursource ...rest of your search NOT "support_*"

Happy Splunking!

akashjohn · ‎07-13-2016

Hi Renjith,

Please find the sample data below,

Jul 13 04:23:07 dev-ron-aka-vin sshd[23227]: Accepted keyboard-interactive/pam for support_win_dev_scope from 10.1.0.2  port 56359 ssh2

We need to extract the user names (in above case support_win_dev_scope ) form all samples like this.

How to search and extract SSH user accounts which are logged in with an interactive login based on my sample data?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!