|table date host user command(enable) status(success) And get those results to a table look like I tried hard but could not find a query to merge all these data (indexes and hosts) to find out who ran enable command successfully at what time on which host. is a string to replace the regex match. is a PCRE regular expression, which can include capturing groups. The syntax for using sed to replace (s) text in your data is: s///.index=linux_logs host=gsw-03-tacacs enable* When using the rex command in sed mode, you have two options: replace (s) or character substitution (y). index=linux_logs host=edc-03-tacacs enable* I run the below 1,2,3 queries on the given datasets to find out which users ran the enable command on which host at what time: The reason is that when trying to eval a field based on a filed that doesn't exist in the data, the eval will fail and you'll end up with empty field. If you'll notice, I've added an if clause to the eval function. | eval "Hidden Cam Monitoring" = Date + " : " + hostname + " " + status + if(isnotnull(user)," "+user,"") Index=windows_log host=abc-05-hiddencam logged* This query captures the logg on and logg off status of the service. I have 2 separate queries that I built using Rex.Ä¡. I have another issue now, which I hope you would help me get solved. I now learnt how to build up regex queries on my own after your explanations and analysis of the queries you built for me, a huge thank you for that. Hi hope you are doing really well and thank you for helping me solve my previous issues.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |