Hello!
Please let me know how can I extract the status of the authentication from the following logs into an action field.
CRON: pam_unix(cron:session): session opened for user root by (uid=0)
CRON: pam_unix(cron:session): session closed for user root
thanks!
Hi @ysifusuf,
You can get that extracted directly within your search as follows :
..... | rex field=_raw "([^:]+\:)+\ssession\s(?<action>\w+)\s"
Or if you add it as an extracted field to have it automatically on your next search as shown here for GUI:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Managesearch-timefieldextractions#Revie...
Or by editing props.conf :
[your_authentication_sourcetype]
EXTRACT-action = ([^:]+\:)+\ssession\s(?<action>\w+)\s
Cheers,
David
You can also do like this,
| rex field=_raw "^(?:[^ \n]* ){3}(?P\w+)"
Hi @ysifusuf,
You can get that extracted directly within your search as follows :
..... | rex field=_raw "([^:]+\:)+\ssession\s(?<action>\w+)\s"
Or if you add it as an extracted field to have it automatically on your next search as shown here for GUI:
https://docs.splunk.com/Documentation/Splunk/7.2.6/Knowledge/Managesearch-timefieldextractions#Revie...
Or by editing props.conf :
[your_authentication_sourcetype]
EXTRACT-action = ([^:]+\:)+\ssession\s(?<action>\w+)\s
Cheers,
David
Hey man,
it works, thanks
@DavidHourani
you're welcome !
There are a number of ways to do that, depending on your specific needs. Here's one:
index=foo | rex "session (?<action>\S+) for user (?<user>\S+)" | ...