- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rex field extraction
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could someone help me extract the two bold words from the following sample
SAMPLE EVENT 1
2018-07-02 08:51:44,648 https-nsse-nio-8663-exec-18 LRQ9923 531x698404x16 1kvc79 99.103.154.114,30.128.209.1 /best/madget/1.0/login The user 'LRQ9923' has PASSED authentication.Could someone help me extract the three bold words from the following sample
SAMPLE EVENT 2
2018-07-02 09:18:44,761 https-nsse-nio-8663-exec-90 anonymous 558x723020x25 5lqwk7 88.128.203.123,30.118.254.78 /best/madget/1.0/login The user 'JRA3620' has FAILED authentication. Failure count equals 3
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
user\s+'?(?<user>[^\s']+)'?\shas\s(?<outcome>\S+)\sauthentication.(?:\s+Failure count equals\s+(?<failure_count>\d+))?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
user\s+'?(?<user>[^\s']+)'?\shas\s(?<outcome>\S+)\sauthentication.(?:\s+Failure count equals\s+(?<failure_count>\d+))?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In the events like the following , it won't give me the Failure Count
2018-07-02 09:18:44,761 https-nsse-nio-8663-exec-90 anonymous 558x723020x25 5lqwk7 88.128.203.123,30.118.254.78 /best/madget/1.0/login The user 'JRA3620' has FAILED authentication. Failure count equals 4
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@zacksoft this should work with the sample data you have provided. Following is a run anywhere search based on the data provided:
| makeresults
| eval data="2018-07-02 08:51:44,648 https-nsse-nio-8663-exec-18 LRQ9923 531x698404x16 1kvc79 99.103.154.114,30.128.209.1 /best/madget/1.0/login The user 'LRQ9923' has PASSED authentication.;2018-07-02 09:18:44,761 https-nsse-nio-8663-exec-90 anonymous 558x723020x25 5lqwk7 88.128.203.123,30.118.254.78 /best/madget/1.0/login The user 'JRA3620' has FAILED authentication. Failure count equals 3;2018-07-02 09:18:44,761 https-nsse-nio-8663-exec-90 anonymous 558x723020x25 5lqwk7 88.128.203.123,30.118.254.78 /best/madget/1.0/login The user 'JRA3620' has FAILED authentication. Failure count equals 4"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex "user\s+'?(?<user>[^\s']+)'?\shas\s(?<outcome>\S+)\sauthentication.(?:\s+Failure count equals\s+(?<failure_count>\d))?"
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quite correct, I updated my answer.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you @woodcock
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Make sure to change that last \d to a \d+ if the failure count can be higher than 9.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Updated again
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure @FrankVI
Would you happen to know any way to automatically generate Splunk rex extraction commands by selecting what fields we want to fetch from the event?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you unfold an event in Splunk, there is a button called "Event Actions", which has an action "Extract Fields".
This brings you to Splunk's Field Extractor GUI, and that does allow you to mark fields in the event and let Splunk generate the regex. You can then either store that as an automatic field extraction, or copy paste the resulting regex into a search query.
But generally this doesn't really result in the best quality regexes. It is really worthwhile investing a little bit of time in learning how regular expressions work and then writing them yourself, with the help of tools like regex101.com. That way you keep it in your control and don't rely on magic you don't fully understand.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @zacksoft,
try this:
|rex "user\s\'(?<User>[^']+)'\shas\s(?<Result>\w+)\sauthentication.*(count\sequals\s(?<Count>\d+))?"
try it in regex101: https://regex101.com/r/vtbCOg/1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@493669
For the event of following type.
It won't give me the 'Failure Count'
2018-07-02 09:18:44,761 https-nsse-nio-8663-exec-90 anonymous 558x723020x25 5lqwk7 88.128.203.123,30.118.254.78 /best/madget/1.0/login The user 'JRA3620' has FAILED authentication. Failure count equals 4
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
