How to search and extract SSH user accounts which ...

akashjohn · ‎07-13-2016

Hi Team,

I am looking for a Splunk search to get a statistics table output

I am looking for is the SSH user accounts which are logged in with interactive login and note that the user names will be starting with a specific prefix as support_ (support_1, support_2, etc). Could you please let me know how can we achieve this?

sundareshr · ‎07-13-2016

Try this

index=xyz ("sshd" AND "keyboard-interactive/pam for support_*")  | rex "support_(?<support_user>[^\s]+)"  | stats count by support_user

jplumsdaine22 · ‎07-13-2016

Without knowing what fields are available to you, this following search would work:

"Accepted keyboard-interactive/pam for support_*"

If you want to extract the username inline you can try this

"Accepted keyboard-interactive/pam for support_*"  | rex _raw="support_(?<support_user>[^\s]+)"

And then append whatever stats/timechart etc search you wish after that, eg

"Accepted keyboard-interactive/pam for support_*"  | rex _raw="support_(?<support_user>[^\s]+)"  | stats count by user

renjith_nair · ‎07-13-2016

Do you have some sample data and field names? If you just want to exclude specific strings , just try

index=yourindex source=yoursource ...rest of your search NOT "support_*"

Happy Splunking!

akashjohn · ‎07-13-2016

Hi Renjith,

Please find the sample data below,

Jul 13 04:23:07 dev-ron-aka-vin sshd[23227]: Accepted keyboard-interactive/pam for support_win_dev_scope from 10.1.0.2  port 56359 ssh2

We need to extract the user names (in above case support_win_dev_scope ) form all samples like this.

How to search and extract SSH user accounts which are logged in with an interactive login based on my sample data?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life