Videos

  • Add Videos
  • View All

Latest Activity

Profile IconWilliam S and Please... Dee Esssss :-) joined splunkninja
1 hour ago
Amine Recoba is now a member of splunkninja
yesterday
Michael Wilde replied to Nikita's discussion Count failures and success via transaction
"How are these transactions linked together... by a field called "ID"?  If so.. just build them with the field ID, and then use one of the MV commands to extract a field with success or failure in it.   Paste some samples and…"
Friday
Linus Myrefelt updated their profile
May 22
Marie updated their profile
May 21
Marie is now a member of splunkninja
May 21
Profile IconJitter and matthew arguin joined splunkninja
May 18
Profile IconMatthew Carter and Nikita joined splunkninja
May 17
i all
i'm going crazy to extract field from mysql access log.this is the example source:
<13>Nov 5 18:56:25 dnsinterno mysql: 091105 18:56:25 1 Connect UNKNOWN_MYSQL_US@localhost as anonymous on

<13>Nov 5 15:02:07 dnsinterno mysql: 091105 15:02:07 1 Connect UNKNOWN_MYSQL_US@localhost as anonymous on

<13>Nov 5 10:58:50 dnsinterno mysql: 091105 10:58:50 25 Connect test@localhost on

<13>Nov 5 10:55:36 dnsinterno mysql: 091105 10:55:36 24 Connect root@localhost on mysql

<13>Nov 5 10:54:56 dnsinterno mysql: 091105 10:54:56 23 Connect root@localhost on

<13>Nov 5 10:54:09 dnsinterno mysql: 091105 10:54:09 22 Connect Access denied for user 'fabio'@'localhost' (using password: YES)

<13>Nov 5 10:53:46 dnsinterno mysql: 091105 10:53:46 21 Connect root@localhost on

<13>Nov 5 10:51:52 dnsinterno mysql: 091105 10:51:52 20 Connect Access denied for user 'fabio'@'localhost' (using password: YES)

<13>Nov 5 10:45:08 dnsinterno mysql: 091105 10:45:08 19 Connect root@localhost on

<13>Nov 5 10:42:58 dnsinterno mysql: 091105 10:42:58 18 Connect Access denied for user 'ola'@'localhost' (using password: YES)

<13>Nov 5 10:41:55 dnsinterno mysql: 091105 10:41:55 17 Connect Access denied for user 'prova'@'localhost' (using password: YES)

<13>Nov 5 10:41:06 dnsinterno mysql: 091105 10:41:06 16 Connect Access denied for user 'root'@'localhost' (using password: YES)

<13>Nov 5 10:39:35 dnsinterno mysql: 091105 10:39:35 15 Connect root@localhost on

i need to extract the username (root,prova,ola,test etc..) from this log but if extract from web console helper i can extract only: someuser after "Connect "and before "@"
or someuser after "user '" and before " ' "
after 2 day i arrive to this: (?i)(?P[^ ]*)@
extract all user name but for the user name after "user..." extract the single quote such as:
root
'root'
test
'test'
fabio

please help me!!!!

Views: 165

Reply to This

Replies to This Discussion

First... put this at the end of your search -- which will do the field extraction temporarily just for this search:


(you might have to add "username" as a selected field in the field picker.


Now, to persist it put something like this in your $SPLUNK_HOME/etc/system/local/props.conf: (between the brackets should be a host, source, or sourcetype).


Save props.conf. Get rid of the "rex" stuff from the first line of my message, and then pipe your search to " | extract reload=t" to force re-read of configs and you should get this:

you are my hero!!!!!!
thx thx thx!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Thanks Fabio... do me a favor. Spread the word that his is a good place to learn and get hard questions answered. The more of us, the better we will be.

RSS

© 2012   Created by Michael Wilde.

Badges  |  Report an Issue  |  Terms of Service