Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

My muilti-line regex won't work after saving it for field extractions in a HPUX audit log

guarisma
Contributor
‎10-14-2016 08:31 AM

Hello,

This is my regex, it works well using the rex command on the search bar of my app like this:

index=hpux tag=audit "bin/rm" | rex "(?m)^(?:.)\n^PID:\s+(?P<pid>[\S]+)\n^PPID:\s+(?P<ppid>[\S]+)\n^User\/Grp:\s+\S+((?P<user>[\S]+)\/(?P<group>[\S]+))\n(?:^.\n)+^Return1:\s+(?P<status>[\S]+)\n(?:^.\n)+^\s+given path = \"(?P<command>[\S]+)\"\n(?:^.\n)+^\s+arg\s#\d+\s=\s\"(?P<file>[\S]+)\""

This is my sample event:

Time:                   Fri Oct 14 11:00:00 16 EDT
PID:                    9368
PPID:                   9361
User/Grp:               0/3(root/sys)
Groups:                 3(sys), 0(root), 1(other), 2(bin), 4(adm), 5(daemon), 6(mail), 7(lp), 20(users)
Effective privileges:           "BASIC"
Permitted privileges:           "BASIC"
Retained privileges:            "BASIC"
Audit tag:              0:         0:(system):      (boot)
TTY:                    (none)
Return1:                0
Arg 1 (file info):                      
                    given path = "/usr/bin/rm"
                    inode = 204
                    device = 64, 0x7
                    mode = 0100555
                    owner uid/gid = 2/2
                    type = regular file
Arg 2 (argument list):                  
                    arg #1 = "rm"
                    arg #2 = "/audit/.audit/hplab15.audtrail.20161012_1050_1054.txt_old"
Other (file info):                      
                    inode = -1
--------------------------------------------------------------------

So,
pid=9368
ppid=9361
user=root
group=sys
status=0
command=/usr/bin/rm
file=/audit/.audit/hplab15.audtrail.20161012_1050_1054.txt_old

But when I paste it in a Field Extraction GUI, the preview works, then I save it under my app with Global permissions but my searches won't extract any of the fields.

Am I missing something? This usually works out of the box.

I'm running Splunk 6.4.1
Thanks for any help.

Tags (1)
0 Karma
Reply

gokadroid
Motivator
‎10-16-2016 12:40 AM

Try this please as I was able to extract it with this regex and all the fields showed up after extraction:

(?s)PID:\s+(?<pid>[^\D]+).*PPID:\s+(?<ppid>[^\D]+).*User\/Grp:\s+\S+\((?<user>[^\/]+)\/(?<group>[^\)]+)\).*Return1:\s+(?<status>[^\D]+).*given\s+?path\s+?=\s+?\"(?<command>[^\s\"]+).*arg\s+?\#\d\s+?=\s+?\"(?<file>[^\s\"]+).*

If it works, please accept the answer and up vote. Thanks!

Reply

guarisma
Contributor
‎10-21-2016 07:31 PM

Thanks for your help, but I have decided to take another option since this type of log mutates a lot.

I decided to just keep the header part in one Field Extraction:

(?m)^(?:.)\n^PID:\s+(?P[\S]+)\n^PPID:\s+(?P[\S]+)\n^User\/Grp:\s+\S+((?P[\S]+)\/(?P[\S]+))\n

And then make several other Field Extractions for the rest of the commands:

^Return1:\s+(?P[\S]+)\n

^\s+given path = \"(?P[\S]+)\"\n

^\s+arg\s#\d+\s=\s\"(?P[\S]+)\""

Now the next problem I have is that I can have any number of "arg #N" and it would be nice to capture all them dynamically.

Any HP-UX audit log experts out there? 🙂

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...