Learning, learning, learning . . . Our Splunk "expert" is gone, and the non-programmer gets to learn the task! How do you spell SPLUNK?
The dojo of Splunk. Learn, share, teach, mentor.
Videos
Latest Activity
Michael Wilde commented on Michael Wilde's video
Sure... When you do group mapping, map them to groups that don't have the domain admins in them. I have a separate OU=Groups that has "Splunk Users, Splunk Admins, Splunk Power Users" as group names, and specific users…
Mike Hartford commented on Michael Wilde's video
I want to give LDAP access to my splunk servcie but I don't want the LDAP users to have admin capabilitys in Splunk. Can I keep the domain admins out of Splunk if I have LDAP authentication???
Mike Hartford left a comment for Jonathan Hawes
Helow Jonathan,
Glad to have another Splunker. I've been useing Splunk for 2 years and am hooked. I leared how to spell splunk and | transaction too. you'll learn that one soon.
Go over to Splunk…
Mike Hartford commented on Mike Hartford's blog post 'tees for the holy day'
Holy Batskins Ninja, zzzzzwap zgruppp kapow a hidden stash, how great is that!!!!
The team that found them must have special bat senses and highly tooned Splunking skills
I like to wear Extra Lovable…
splunk regex help
i all
i'm going crazy to extract field from mysql access log.this is the example source:
<13>Nov 5 18:56:25 dnsinterno mysql: 091105 18:56:25 1 Connect UNKNOWN_MYSQL_US@localhost as anonymous on
<13>Nov 5 15:02:07 dnsinterno mysql: 091105 15:02:07 1 Connect UNKNOWN_MYSQL_US@localhost as anonymous on
<13>Nov 5 10:58:50 dnsinterno mysql: 091105 10:58:50 25 Connect test@localhost on
<13>Nov 5 10:55:36 dnsinterno mysql: 091105 10:55:36 24 Connect root@localhost on mysql
<13>Nov 5 10:54:56 dnsinterno mysql: 091105 10:54:56 23 Connect root@localhost on
<13>Nov 5 10:54:09 dnsinterno mysql: 091105 10:54:09 22 Connect Access denied for user 'fabio'@'localhost' (using password: YES)
<13>Nov 5 10:53:46 dnsinterno mysql: 091105 10:53:46 21 Connect root@localhost on
<13>Nov 5 10:51:52 dnsinterno mysql: 091105 10:51:52 20 Connect Access denied for user 'fabio'@'localhost' (using password: YES)
<13>Nov 5 10:45:08 dnsinterno mysql: 091105 10:45:08 19 Connect root@localhost on
<13>Nov 5 10:42:58 dnsinterno mysql: 091105 10:42:58 18 Connect Access denied for user 'ola'@'localhost' (using password: YES)
<13>Nov 5 10:41:55 dnsinterno mysql: 091105 10:41:55 17 Connect Access denied for user 'prova'@'localhost' (using password: YES)
<13>Nov 5 10:41:06 dnsinterno mysql: 091105 10:41:06 16 Connect Access denied for user 'root'@'localhost' (using password: YES)
<13>Nov 5 10:39:35 dnsinterno mysql: 091105 10:39:35 15 Connect root@localhost on
i need to extract the username (root,prova,ola,test etc..) from this log but if extract from web console helper i can extract only: someuser after "Connect "and before "@"
or someuser after "user '" and before " ' "
after 2 day i arrive to this: (?i)(?P[^ ]*)@
extract all user name but for the user name after "user..." extract the single quote such as:
root
'root'
test
'test'
fabio
please help me!!!!
i'm going crazy to extract field from mysql access log.this is the example source:
<13>Nov 5 18:56:25 dnsinterno mysql: 091105 18:56:25 1 Connect UNKNOWN_MYSQL_US@localhost as anonymous on
<13>Nov 5 15:02:07 dnsinterno mysql: 091105 15:02:07 1 Connect UNKNOWN_MYSQL_US@localhost as anonymous on
<13>Nov 5 10:58:50 dnsinterno mysql: 091105 10:58:50 25 Connect test@localhost on
<13>Nov 5 10:55:36 dnsinterno mysql: 091105 10:55:36 24 Connect root@localhost on mysql
<13>Nov 5 10:54:56 dnsinterno mysql: 091105 10:54:56 23 Connect root@localhost on
<13>Nov 5 10:54:09 dnsinterno mysql: 091105 10:54:09 22 Connect Access denied for user 'fabio'@'localhost' (using password: YES)
<13>Nov 5 10:53:46 dnsinterno mysql: 091105 10:53:46 21 Connect root@localhost on
<13>Nov 5 10:51:52 dnsinterno mysql: 091105 10:51:52 20 Connect Access denied for user 'fabio'@'localhost' (using password: YES)
<13>Nov 5 10:45:08 dnsinterno mysql: 091105 10:45:08 19 Connect root@localhost on
<13>Nov 5 10:42:58 dnsinterno mysql: 091105 10:42:58 18 Connect Access denied for user 'ola'@'localhost' (using password: YES)
<13>Nov 5 10:41:55 dnsinterno mysql: 091105 10:41:55 17 Connect Access denied for user 'prova'@'localhost' (using password: YES)
<13>Nov 5 10:41:06 dnsinterno mysql: 091105 10:41:06 16 Connect Access denied for user 'root'@'localhost' (using password: YES)
<13>Nov 5 10:39:35 dnsinterno mysql: 091105 10:39:35 15 Connect root@localhost on
i need to extract the username (root,prova,ola,test etc..) from this log but if extract from web console helper i can extract only: someuser after "Connect "and before "@"
or someuser after "user '" and before " ' "
after 2 day i arrive to this: (?i)(?P[^ ]*)@
extract all user name but for the user name after "user..." extract the single quote such as:
root
'root'
test
'test'
fabio
please help me!!!!
Views: 103
Replies to This Discussion
-
Permalink Reply by Michael Wilde on -
First... put this at the end of your search -- which will do the field extraction temporarily just for this search:
(you might have to add "username" as a selected field in the field picker.
Now, to persist it put something like this in your $SPLUNK_HOME/etc/system/local/props.conf: (between the brackets should be a host, source, or sourcetype).
Save props.conf. Get rid of the "rex" stuff from the first line of my message, and then pipe your search to " | extract reload=t" to force re-read of configs and you should get this:
-
Permalink Reply by fabio angeletti on -
you are my hero!!!!!!
thx thx thx!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-
Permalink Reply by Michael Wilde on
-
Thanks Fabio... do me a favor. Spread the word that his is a good place to learn and get hard questions answered. The more of us, the better we will be.
© 2012 Created by Michael Wilde.
