- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Working with eventtypes
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Working with eventtypes
I'm wondering if someone can provide me with a suggestion on how to handle this (probably straight-forward) scenario.
So here's an event:
PSAPPSRV.14586 (13) 07/12/12 09:17:46 GetCertificate Sign on PeopleCode authentication succeeded for user ABCUSER123@foo.xyz.com.
Here's a similar event:
PSAPPSRV.29564 (7) 07/22/12 02:37:15 GetCertificate Sign on PeopleCode authentication succeeded for user ABCUSER123@987.123.456.33.
They're similar except that one event has a user/hostname, the other has a user/IP address.
(The hostnames/IP addresses have been modified for anonymity.)
What I want to do is have a single event type called "ps_login_success" that will include events from any user from any host or IP.
I also want to extract two fields from these events: the "ps_user" (ABCUSER123) and, depending on context, either the remote hostname or the remote IP.
So my questions:
The eventtype wizard can't quite do what I need it to do. What does this eventtype definition look like if I need to do it manually?
Similar question regarding the field extractions.. I can't get the field extractor to do what I need it to do either. Am I creating two regex's, one for each scenario? Or is there a way to do it with one?
Should I extract the fields within the context of the eventtype? Or should the field extraction be separate from the eventtype?
Thank you in advance for your assistance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First, if you run this search, does it only retrieve events that should belong to the eventtype?
"Sign on" "authentication succeeded for user"
If yes, then click "Create -> Eventtype" in 4.3. In earlier versions, choose "Save as event type..." from the Actions menu.
Give the eventtype the name "ps_login_success" and save it.
Second, regarding field extractions. You can do this with one regular expression, like this:
"authentication succeeded for user (?P<userName>.*?)@(?P<userDomain>\.*?)\.\s"
You could put this in props.conf, or use it in a rex command:
yoursearchhere
| rex "authentication succeeded for user (?P<userName>.*?)@(?P<userDomain>\.*?)\.\s"
| stats count by userDomain userName
In props.conf
[sourcetypenamehere]
EXTRACT-e1= "authentication succeeded for user (?P<userName>.*?)@(?P<userDomain>\.*?)\.\s"
The field extraction is separate from the eventtype.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for your response. The trouble I ran into was figuring out how to distinguish one eventtype "format" from the other (i.e. one with a hostname from one with an IP). Then it turns out there was a third format. Ugh!
I got around this using the "punct" feature. However, I think your suggestion is simpler. I will give it a try, thanks!
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
