Hi,
I use Splunk to monitor ftp logs, but it passes through 2 server which has a different system of logs:
xml example (first logs):
<filename value="/ABC_00000_2000_01_01.zip" />
<destination value="C:\User\ABC_00000_2000_01_01.zip" />
<result success="true" />
text exemple (second logs):
2000-01-01 00:00:00,00 - Moving file: 'ABC_00000_2000_01_01.zip' to \\192.168.1.1\toto\titi
move return code : 0
I want to follow-up the file from the original source to the final destination in a single table.
table example: source_origin tmp_destination final_destination
I have written 2 separate query that do what I want but I can't find how to run them in a single query and correlate event according to a field (the filename) to get complete tracking of a file on a single line.
part of my query:
xml query:
sourcetype=xml |
rex field=_raw "(?:filename value=\"(?<source_origin>[^\"]+)| destination value=\"(?<tmp_destination>[^\"]+))" |
rex field=source_origin "(?P<file_name>[^\/b\\\]*?)$" |
table file_name source_origin tmp_destination
text logs query:
sourcetype=log_try2 |
rex field=_raw "(?:Moving file: \'(?<file_name>[^\']+))" |
rex field=_raw "(?:to \\\\\\\(?<final_destination>[^ ]+))" |
table file_name final_destination
Thank you in advance for your answer, if something is not very clear do not hesitate to let me know 🙂 .
... View more