https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86837#M5630 <P>I've tried a few tools to try and write the proper regex syntax to do what I want, but I'm not having any luck.</P> <P>I have syslog output that comes from two different device types that comes out with different fields whether it's one device type or the other:</P> <PRE><CODE>Oct 5 09:02:40 10.219.49.2 66772: bfr01.151front711 RP/0/RSP0/CPU0:Oct 5 09:02:40.861 : exec[65706]: %SECURITY-login-6-AUTHEN_SUCCESS : Successfully authenticated user 'rancid' from '10.219.51.130' on 'vty0' Oct 5 08:12:29 10.219.49.31 146074: bpe01.77mowat506: Oct 5 08:12:28.623: %LINK-3-UPDOWN: Interface Virtual-Access45, changed state to down </CODE></PRE> <P>The important fields are the hostname which appears in field 6 in both lines and as Cisco calls it "%message-group-severity-message-code" which appears in two different fields depending on the device.</P> <P>Using the field extrator, I can generate a regex that captures the hostname:</P> <PRE><CODE>"(?:[^:\n]*:){6}\s+(?P&lt;FIELDNAME1&gt;[^ ]+)" </CODE></PRE> <P>But I can't figure out how to get field extractor to also capture the %message as a different field. Heck, I can't even get it to reliably match %message in the first place. It doesn't seem to understand when I enter copy and paste different values from two different fields and ask it to match against it.</P> <P>I'd be grateful of for any assistance.</P> Wed, 05 Oct 2011 14:12:24 GMT jlixfeld 2011-10-05T14:12:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86837#M5630 <P>I've tried a few tools to try and write the proper regex syntax to do what I want, but I'm not having any luck.</P> <P>I have syslog output that comes from two different device types that comes out with different fields whether it's one device type or the other:</P> <PRE><CODE>Oct 5 09:02:40 10.219.49.2 66772: bfr01.151front711 RP/0/RSP0/CPU0:Oct 5 09:02:40.861 : exec[65706]: %SECURITY-login-6-AUTHEN_SUCCESS : Successfully authenticated user 'rancid' from '10.219.51.130' on 'vty0' Oct 5 08:12:29 10.219.49.31 146074: bpe01.77mowat506: Oct 5 08:12:28.623: %LINK-3-UPDOWN: Interface Virtual-Access45, changed state to down </CODE></PRE> <P>The important fields are the hostname which appears in field 6 in both lines and as Cisco calls it "%message-group-severity-message-code" which appears in two different fields depending on the device.</P> <P>Using the field extrator, I can generate a regex that captures the hostname:</P> <PRE><CODE>"(?:[^:\n]*:){6}\s+(?P&lt;FIELDNAME1&gt;[^ ]+)" </CODE></PRE> <P>But I can't figure out how to get field extractor to also capture the %message as a different field. Heck, I can't even get it to reliably match %message in the first place. It doesn't seem to understand when I enter copy and paste different values from two different fields and ask it to match against it.</P> <P>I'd be grateful of for any assistance.</P> Wed, 05 Oct 2011 14:12:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86837#M5630 jlixfeld 2011-10-05T14:12:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86838#M5631 <P>Hello,</P> <P>From your email I understand that you are trying to collect "%SECURITY-login-6-AUTHEN_SUCCESS" and "%LINK-3-UPDOWN". This is the correct, have you tried this regex:</P> <PRE><CODE>: (?&lt;FIELDNAME1&gt;%[^:]+): </CODE></PRE> <P>Hope this help.</P> <P>Regards,<BR /> Olivier</P> Wed, 05 Oct 2011 15:01:06 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86838#M5631 OL 2011-10-05T15:01:06Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86839#M5632 <P>Hi Oliver,</P> <P>You are partially right. I perhaps didn't make my question clear enough. I apologize. I'd like to match %message as well as hostname. I understand that the field extractor can extract multiple fields at once.</P> Wed, 05 Oct 2011 15:07:50 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86839#M5632 jlixfeld 2011-10-05T15:07:50Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86840#M5633 <P>Sorry, I'm not sure that I can recognize the hostnames from the log but I'm guessing you want to get "bfr01.151front711 RP/0/RSP0/CPU0" and "bpe01.77mowat506", but would this one be OK:</P> <P>[^ ]+ [^ ]+ [^ ]+ [0-9]+: (?<FIELDNAME1>[^:]+).*: (?<FIELDNAME2>%[^:]+):</FIELDNAME2></FIELDNAME1></P> Wed, 05 Oct 2011 15:16:09 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86840#M5633 OL 2011-10-05T15:16:09Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86841#M5634 <P>Again, my apologies. The hostname in the example would be either bfr01.151front711 or bpe01.77mowat506.</P> <P>I tried your second regex, and that works much better, except for one small issue. It matches this as one field:</P> <P><CODE>bfr01.151front711 RP/0/RSP0/CPU0</CODE></P> <P>The one field should only be:</P> <P><CODE>bfr01.151front711</CODE></P> Wed, 05 Oct 2011 15:48:24 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86841#M5634 jlixfeld 2011-10-05T15:48:24Z https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86842#M5635 <P>Try:</P> <PRE><CODE>^(?:\S*\s*){5}(?&lt;hostname&gt;\S*)[^%]*(?&lt;message&gt;%\S+) </CODE></PRE> <P>It could be more precise (e.g., it could define where after the hostname the message occurs, instead of just finding the first <CODE>%</CODE>), but should work.</P> Wed, 05 Oct 2011 16:57:31 GMT https://community.splunk.com/t5/All-Apps-and-Add-ons/Complex-regex-help/m-p/86842#M5635 gkanapathy 2011-10-05T16:57:31Z