Sorry for the strange title... couldn't think of anything better. Doing a search on a command field in Splunk with values like:
sudo su - somename
sudo su - another_name
sudo su -
And I'm only looking for the records "sudo su -". I don't want the records that match those characters and more... just records that ONLY contain "sudo su -". When I write the search Command="sudo su -" I still get the other records too. Struggling to figure this out.
Thanks!
There are lots of ways to make this happen.
You could use a sed mode rex to eliminate the part you don't care about, and if anything is left, keep the record...
your search that gets all the "sudo su -" (and remember there may be extra spaces...)
| eval testfield=Command
| rex mode=sed field=testfield "s/sudo\s+su\s+-//"
| where testfield!=""
You could use a regular expression that will only match if there are non-whitespace characters after the -
your search that gets all the "sudo su -" (and remember there may be extra spaces...)
| regex Command="\s*sudo\s+su\s+-[ \t]*\w"
There are lots of ways to make this happen.
You could use a sed mode rex to eliminate the part you don't care about, and if anything is left, keep the record...
your search that gets all the "sudo su -" (and remember there may be extra spaces...)
| eval testfield=Command
| rex mode=sed field=testfield "s/sudo\s+su\s+-//"
| where testfield!=""
You could use a regular expression that will only match if there are non-whitespace characters after the -
your search that gets all the "sudo su -" (and remember there may be extra spaces...)
| regex Command="\s*sudo\s+su\s+-[ \t]*\w"
@joesrepsol
have you tried search
command?
try this:
| makeresults | eval _raw=" Command
sudo su - somename
sudo su - another_name
sudo su -
" | multikv | search Command="sudo su -"
THANK YOU.
This seems to have worked! I'm a little confused why adding Command="sudo su -" in the normal search seemingly applies an asterisks to the value, but when adding it with the |search Command="sudo su -" doesnt?
Regardless its working, and thank you.
Great.
Can you please accept the answer and upvote it to help the community?