Ad slot: top
GoSplunk SPL + dashboard repository
Log in Register

SPL

Successful Login to OSX

osx_secure

Description

Submitted by ItsJohnLocke

The following splunk query (with regex) will return a result of users who have successfully authenticated to an OSX machine: *NOTE* Thanks Bob for pointing this out. The regular expression has now been fixed!
0 1 
sourcetype=osx_secure | rex “authinternal\sauthenticated\suser\s(?<USER>\S+)” |eval Date=strftime(_time, "%Y/%m/%d") | stats count by USER, host, Date | sort - count

Comments

5 total

BA
Bauttt
3/15/2017

Error in 'rex' command: Encountered the following error while compiling the regex 'authinternal\sauthenticated\suser\s(?\S+)': Regex: unrecognized character after (? or (?-

BO
Bob
7/10/2019

Looks like they wanted to extract a USER field so change it to :-\r\n`| rex \"authinternal\sauthenticated\suser\s(?\S+)\"`

BO
Bob
7/10/2019

Ahh the website hides some codes. you need a to have this with the spaces removed.\r\n`(?\S+)\"`

BO
Bob
7/10/2019

Grrrrr Lets try this. \r\n| rex \"authinternal\sauthenticated\suser\s(?&lt;USER&gt;\S+)\"

SP
SplunkNinja
7/10/2019

Thanks Bob! It has been fixed :)

Leave a comment

You must log in to post a comment.

Ad slot: bottom