How to search based on number

May 24, 2020 16:36

Greetings

I am new to Sumo Logic and have a basic query.

Here is my log entry

10.100.200.56 \| AuthenticationFailureEvent \| csanghavi \| 1590331677663 \| csanghavi \| {"authentication-method":"basic","error":"For security reasons you must answer a CAPTCHA question."} \| @LK4UF0x647x26439558x0 \|

10.100.200.56 | AuthenticationFailureEvent | csanghavi | 1590331677663 | csanghavi | {"authentication-method":"basic","error":"For security reasons you must answer a CAPTCHA question."} | @LK4UF0x647x26439558x0 |

How do I parse the username "csanghavi" which is next to 1590331677663 ?

Thanks !

Comments

3 comments

Kevin Keech2

May 24, 2020 23:38

Edited
There are a few ways you can parse this. (Note: I am assuming you want the name to the left of the epoch timestamp in the message)

1.) Since the logs are pipe-delimited you can use the "split" operation to parse out the field you need. This assumes the field your looking for is always in the same position in your logs.
```
| split _raw delim='|' extract 3 as user
```
This operation takes an existing field, in this case the _raw field, which is the message itself, and then uses the delimiter to determine each field of the message. Finally you tell it which field in the message you want to extract, in this case the third field. You can parse other fields using the same operation you just need to include the other locations. Ex.
```
| split _raw delim='|' extract 3 as user, 1 as ip, 6 as event_message
```
2.) Using a parse regex expression. This assumes the name is always next to the digit field.
```
| parse regex "\|\s+(?<userb>.*?)\s+\|\s+\d{13}"
```
3.) Using a basic parse anchor to parse all the fields from your message.
```
| parse "* | * | * | * | * | * | *" as ip, eventtype, user, timestamp, userb, event_message, someid
```
I hope these examples help.
2

Comment actions Permalink
Graham Watts

May 24, 2020 23:39
Hi Kota,

There are a few options here, parse anchor is probably the easiest assuming these fields are consistently in the order shown in your example log.
```
_sourceCategory=<my/category>
| parse "* | * | * | * | * | * |" as ip,event,user1,id,user2, msg
```
Also, here are a few good resources to get you started:
- Parse Operators
- Log Operators Cheat Sheet
- Fundamentals Certification (Level 1)
- slack.sumologic.com - join our slack community and get help from other users and Sumos!
Thanks and have a good week,

Graham
1

Comment actions Permalink
Kota Shravana

May 25, 2020 05:38
Thanks Kevin & Graham. Appreciate your quick help
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?