2

This event is printed eveytime UserPin AreaCode AreaNum Sector Short Sem are unique for each userid and come only inside User Login successfully message with timestamp

"message":" *** User Login successfully credentials userid 2NANO-323254-7654-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB"

Below these two event are only printed when certain conditions are meet. I am very new in Splunk like a naive, how can we write a Splunk query such that take out the userid with UserPin AreaCode AreaNum Sector Short Sem which have the below printed event then only create a table with userid. If below two message are not printed with userid from above message then we should not consider the userid

"message": "User Failed to login userid - 2NANO-323254-7654-4"

"message": "User is from stackoverflow group, on XZ ABCE for userid - 2NAN0-323254-7654-4"

this is table structure where i want to fill values

UserId | UserPin | AreaCode | AreaNum | Sector | Short_Sem

I am very new in splunk can someone guide how to start to build where to look for the thing. Any hint or demo will work. Thank you

Example

"message":" *** User Login successfully credentials userid 2NANO-323254-7654-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB"

"message": "User Failed to login userid - 2NANO-323254-7654-4"

"message": "User is from stackoverflow group, on XZ ABCE for userid - 2NAN0-323254-7654-4"

"message":" *** User Login successfully credentials userid 2ABDO-54312-7654-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB"

"message":" *** User Login successfully credentials userid 2COMA-765234-8653-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB"

So we consider first only because that userid have has two more event with same userid and associated all the event have timestamp

UserId              | UserPin| AreaCode | AreaNum | Sector   | Short_Sem
2NANO-323254-7654-4 | 287654 | 98765    | 98765   | 87612345 | ZEB

enter image description here

SingUser
  • 23
  • 1
  • 8

1 Answers1

0

This question is an expansion of your question at how to write splunk query to create a table view so the answer is an expansion of that answer.

First, use rex to extract the desired fields. Then the stats command will group the results by userid. Finally, use the table command to display the fields.

| makeresults 
| eval data="\"message\":\" *** User Login successfully credentials userid 2NANO-323254-7654-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB\"
    \"message\": \"User Failed to login userid - 2NANO-323254-7654-4\"
    \"message\": \"User is from stackoverflow group, on XZ ABCE for userid - 2NAN0-323254-7654-4\"
    \"message\":\" *** User Login successfully credentials userid 2ABDO-54312-7654-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB\"
    \"message\":\" *** User Login successfully credentials userid 2COMA-765234-8653-4  UserPin - 287654 AreaCode - 98765 AreaNum - 98765 Sector - 87612345 Short Sem - ZEB\"" 
| eval data=split(data,"
") 
| mvexpand data 
| eval _raw=data 
```Everything above is for demo purposes only```
```Extract fields```
| rex "message\":\s*\"\s*(?:\*+\s)?(?<msg>.*?)(?:userid|,)"
| rex "userid\s(?:-\s)?(?<userid>\S+)" 
| rex "UserPin - (?<UserPin>\S+) AreaCode - (?<AreaCode>\S+) AreaNum - (?<AreaNum>\S+) Sector - (?<Sector>\S+) Short Sem - (?<Short_Sem>\S+)"
```Clean up the fields```
| eval userid=trim(userid,"\""), Short_Sem=trim(Short_Sem, "\"")
```Group results```
| stats values(*) as * by userid
```Filter events```
| search (msg="*User Failed to login*") OR (msg="*User is from stackoverflow group*")
| rename userid as UserId
| table UserId UserPin AreaCode AreaNum Sector Short_Sem
RichG
  • 9,063
  • 2
  • 18
  • 29
  • I tried this query but it return some wired output it returned me 4 rows but i just want 1 row only ```UserId | UserPin| AreaCode | AreaNum | Sector | Short_Sem 2NANO-323254-7654-4 | 287654 | 98765 | 98765 | 87612345 | ZEB``` – SingUser Feb 10 '22 at 18:41
  • Hi @RichG I added the image of the query in the question – SingUser Feb 10 '22 at 18:44
  • Four lines are displayed because there are 4 different userid values. You can show only 1 line, but how will Splunk know which one? – RichG Feb 10 '22 at 19:44
  • That is what i asked in question want to build table where userid has these two string also if not then dont consider those cases ```\"message\": \"User Failed to login userid - 2NANO-323254-7654-4\" \"message\": \"User is from stackoverflow group, on XZ ABCE for userid - 2NAN0-323254-7654-4\"``` – SingUser Feb 10 '22 at 19:49
  • Thanks for clarifying. I've updated my answer. – RichG Feb 10 '22 at 20:34
  • Thanks a lot @RichG its working fine but i still get two rows added the image any idea like why i am get two rows – SingUser Feb 11 '22 at 16:47
  • The sample data contains two userid values with the desired strings: `2NANO-323254-7654-4` and `2NAN0-323254-7654-4` – RichG Feb 11 '22 at 17:49