Creating a Dashboard
Hi Guys,
1. I am new to Sumo and trying to develop a dashboard to extract the following from logs and present them in a table.
I want to extract:
Who logged in:
What time:
Verification status:
How many attempts:
Log samples:
2022-08-17T05:07:25+10:00 exim-jsn jsnvpn-client-auth: Wed Aug 17 05:07:23 2022 Jane.alex/14.202.148.153:1194 VERIFY OK: depth=1, CN=vpn.exim.com.au
2022-08-17T05:13:35+10:00 exim-jsn jsnvpn-client-auth: Wed Aug 17 05:13:28 2022 Jasmin.lo/103.44.35.151:1194 VERIFY OK: depth=0, CN=Jasmin.lo
2. I want to change the time zone of the logs, how can I do it?
Please help.
Thank you
-
Thank you E Jang. Can you please help me with this?
In Splunk I use Regex to extract the key items from a query and use Eval command to make the expression much meaningful and look pretty.
Ex:
| rex field=_raw "(?<Date>\w{3}\s+\d+ \d+:\d+:\d+) (?<hostname>.+) \d+: \w{3}.*User:(?<user>\w+).*:(?P<command>.......)"
|eval "Command Execution on the Network" = Date + " " + "Enable Command on " + host + " was executed by " + user
| table "Command Execution on the Network"
I extracted a regex command for SumoLogic and I want to know what is the way to get a similar beautiful output from SumoLogic.
From the below-mentioned regex, I want to have a table of which each row saysOn <Date> User <Name> has logged into <Server> <Connection> <status>
| parse regex "\d+\S\d+\S\d+\w+\S\d+\S\d+\S\d+\S\d+\s(?<Server>\w+\S\w+\s\w+)\S\w+\S\w+\S\s(?<Date>\w+\s\w+\s\w+\s\w+\S\w+\S\w+)\s\w+\s(?<Name>\w+.\w+)\S\d+\S\d+\S\d+\d+\S\d+\S\d+\S\s(?<Connection>\w+)\s(?<status>\w+).*"Please help.
Thank you.
-
Use concat operator.
for example,| concat ("On ", Date, " User ", Name, " has logged into ", Server, " ", Connection, " ", Status) as output
| count by output
Please sign in to leave a comment.
Comments
4 comments