topic Regex Extraction for Field in Splunk Enterprise https://community.splunk.com/t5/Splunk-Enterprise/Regex-Extraction-for-Field/m-p/579349#M11004 <P>Hi,</P><P>From the below events i need to extract the field called "<STRONG>Event_Name</STRONG>" which is associated with "<STRONG>BeyondTrust_PBUL_ACCEPT_Event</STRONG>" from below 3 events</P><P>Desired output: Event_Name(<STRONG>filed name</STRONG>)=BeyondTrust_PBUL_ACCEPT_Event(<STRONG>field value</STRONG>)</P><P><STRONG>Example Event 1:</STRONG></P><P>&lt;86&gt;Dec 22 ddppvc0729 pbmerd2.1.0-12: BeyondTrust_PBUL_ACCEPT_Event: Time_Zone='IST'; Request_Date='2021/1/27'; Request_Time='2:2:51'; Request_End_Date='2021/1/27'; Request_End_Time='22:1:51';Submit_User='spnt'; Submit_Host='wcpl.com';&nbsp;</P><P><STRONG>Example Event 2:</STRONG></P><P>&lt;83&gt;Dec 22 ddpc0729 pbmerd21.1.0-12: [2658] 5105.1 failed to get ACK packet during a CMD_SWAPTTY_ONE_LINE sequence - read failure in receive acknowledgement</P><P><STRONG>Example Event 3:</STRONG></P><P>&lt;38&gt;Dec 22 ddppvc0729 root[25132]: [ID 7011 auth.info] CEF:0|BeyondTrust|PowerBroker|1.1.0-12|7011|PBEvent=Accept|4|act=Accept end=Dec 1 2021 1:11:40 shost=dc8 dvchost=dc8 suser=t8adsfk duser=root filePath=/opt/ cs1Label=Ticket cs1=Not_Applicable deviceExternalId=0a2adfersds9 fname=./SSB_Refresh_Pbrun_Local_Policy_Files.sh</P><P>&nbsp;</P><P><STRONG>What i tried from regex extraction:</STRONG></P><P>Input: (?&lt;Event_Name&gt;\w{10}[a-zA-Z]+_[a-zA-Z]+_[a-zA-Z]+_[a-zA-Z]+)</P><P>Output: matching 2 places from above 3 events</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pchintha_0-1640663261600.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17347i22BA5D15437CBE77/image-size/medium?v=v2&amp;px=400" role="button" title="pchintha_0-1640663261600.png" alt="pchintha_0-1640663261600.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Dec 2021 03:49:20 GMT pchintha 2021-12-28T03:49:20Z Regex Extraction for Field https://community.splunk.com/t5/Splunk-Enterprise/Regex-Extraction-for-Field/m-p/579349#M11004 <P>Hi,</P><P>From the below events i need to extract the field called "<STRONG>Event_Name</STRONG>" which is associated with "<STRONG>BeyondTrust_PBUL_ACCEPT_Event</STRONG>" from below 3 events</P><P>Desired output: Event_Name(<STRONG>filed name</STRONG>)=BeyondTrust_PBUL_ACCEPT_Event(<STRONG>field value</STRONG>)</P><P><STRONG>Example Event 1:</STRONG></P><P>&lt;86&gt;Dec 22 ddppvc0729 pbmerd2.1.0-12: BeyondTrust_PBUL_ACCEPT_Event: Time_Zone='IST'; Request_Date='2021/1/27'; Request_Time='2:2:51'; Request_End_Date='2021/1/27'; Request_End_Time='22:1:51';Submit_User='spnt'; Submit_Host='wcpl.com';&nbsp;</P><P><STRONG>Example Event 2:</STRONG></P><P>&lt;83&gt;Dec 22 ddpc0729 pbmerd21.1.0-12: [2658] 5105.1 failed to get ACK packet during a CMD_SWAPTTY_ONE_LINE sequence - read failure in receive acknowledgement</P><P><STRONG>Example Event 3:</STRONG></P><P>&lt;38&gt;Dec 22 ddppvc0729 root[25132]: [ID 7011 auth.info] CEF:0|BeyondTrust|PowerBroker|1.1.0-12|7011|PBEvent=Accept|4|act=Accept end=Dec 1 2021 1:11:40 shost=dc8 dvchost=dc8 suser=t8adsfk duser=root filePath=/opt/ cs1Label=Ticket cs1=Not_Applicable deviceExternalId=0a2adfersds9 fname=./SSB_Refresh_Pbrun_Local_Policy_Files.sh</P><P>&nbsp;</P><P><STRONG>What i tried from regex extraction:</STRONG></P><P>Input: (?&lt;Event_Name&gt;\w{10}[a-zA-Z]+_[a-zA-Z]+_[a-zA-Z]+_[a-zA-Z]+)</P><P>Output: matching 2 places from above 3 events</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pchintha_0-1640663261600.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/17347i22BA5D15437CBE77/image-size/medium?v=v2&amp;px=400" role="button" title="pchintha_0-1640663261600.png" alt="pchintha_0-1640663261600.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 28 Dec 2021 03:49:20 GMT https://community.splunk.com/t5/Splunk-Enterprise/Regex-Extraction-for-Field/m-p/579349#M11004 pchintha 2021-12-28T03:49:20Z Re: Regex Extraction for Field https://community.splunk.com/t5/Splunk-Enterprise/Regex-Extraction-for-Field/m-p/579402#M11013 <P>Please clarify which part of each event is the Event_Name, especially Example 2.</P><P>Are the sample events from the same sourcetype?&nbsp; They look very different, which means they can have different field extractions.</P> Tue, 28 Dec 2021 16:32:20 GMT https://community.splunk.com/t5/Splunk-Enterprise/Regex-Extraction-for-Field/m-p/579402#M11013 richgalloway 2021-12-28T16:32:20Z