https://community.splunk.com/t5/Splunk-Enterprise/Dynamic-field-extraction-with-regex-syslog-s/m-p/633269#M15586 <P>The <FONT face="courier new,courier">extract</FONT> command is made for that kind of parsing, but it will be tripped up by the extra ":" separators in the timestamp.</P><P>Regex will do the job, however, but there's no special command for it.&nbsp; Assuming the fields are always in the same order then this will do it.</P><LI-CODE lang="markup">| rex "firepower : (?&lt;firepower&gt;[^:]+): EventPriority: (?&lt;EventPriority&gt;\w+), DeviceUUID: (?&lt;DeviceUUID&gt;[^,]+), InstanceID: (?&lt;InstanceID&gt;[^,]+), FirstPacketSecond: (?&lt;FirstPacketSecond&gt;[^,]+), ConnectionID: (?&lt;ConnectionID&gt;[^,]+), AccessControlRuleAction: (?&lt;AccessControlRuleAction&gt;[^,]+), SrcIP: (?&lt;SrcIP&gt;[^,]+), DstIP: (?&lt;DstIP&gt;[^,]+), SrcPort: (?&lt;SrcPort&gt;\d+), DstPort: (?&lt;DstPort&gt;\d+), Protocol: \w+"</LI-CODE><P>If the fields might appear in any order then a separate <FONT face="courier new,courier">rex</FONT> command is needed for each one.</P> Sat, 04 Mar 2023 01:33:10 GMT richgalloway 2023-03-04T01:33:10Z https://community.splunk.com/t5/Splunk-Enterprise/Dynamic-field-extraction-with-regex-syslog-s/m-p/633261#M15584 <P>We are ingesting Firepower logs via syslog using the cisco:asa TA. Many of the events I am interested in are Threat Defense events that are tied to an ID like this&nbsp;FTD-6-430002. When I narrow down my search to events with just that ID I find the rest of the event has plenty of info in key:value pairs but no fields have been extracted from the pairs.<BR /><BR />Sanitized example event:</P> <P><SPAN class="">Mar</SPAN> <SPAN class="">3</SPAN> <SPAN class="">16:01:21</SPAN> <SPAN class="">172.16.51.72</SPAN> <SPAN class="">Mar</SPAN> <SPAN class="">03</SPAN> <SPAN class="">2023</SPAN> <SPAN class="">22:01:21</SPAN>&nbsp;firepower&nbsp;<SPAN class="">:</SPAN> <SPAN class=""><SPAN class="">%FTD-6-430002</SPAN>:</SPAN> <SPAN class="">EventPriority:</SPAN> <SPAN class="">Low</SPAN><SPAN>, </SPAN><SPAN class="">DeviceUUID:</SPAN> <SPAN class="">00000-0000-0000-000000000000</SPAN><SPAN>, </SPAN><SPAN class="">InstanceID:</SPAN> <SPAN class="">1</SPAN><SPAN>, </SPAN><SPAN class="">FirstPacketSecond:</SPAN> <SPAN class="">2023-03-03T22:01:21Z</SPAN><SPAN>, </SPAN><SPAN class="">ConnectionID:</SPAN> <SPAN class="">5000</SPAN><SPAN>, </SPAN><SPAN class="">AccessControlRuleAction:</SPAN> <SPAN class="">Allow</SPAN><SPAN>, </SPAN><SPAN class="">SrcIP:</SPAN> <SPAN class="">100.100.100.100</SPAN><SPAN>, </SPAN><SPAN class="">DstIP:</SPAN>&nbsp;200<SPAN class="">.200.200.200</SPAN><SPAN>, </SPAN><SPAN class="">SrcPort:</SPAN> <SPAN class="">60000</SPAN><SPAN>, </SPAN><SPAN class="">DstPort:</SPAN>&nbsp;10<SPAN>, </SPAN><SPAN class="">Protocol:</SPAN> <SPAN class="">tcp<BR /><BR />Is there a regex command that can dynamically extract all the field names from something like "DstPort:&nbsp;10" to Field Name of DstPort with a value of 10?&nbsp;<BR /><BR />I know Cisco provides a eStreamer TA that may extract these fields but it looks very involved to setup and I already have the syslog configured.&nbsp;</SPAN></P> Mon, 06 Mar 2023 14:40:58 GMT https://community.splunk.com/t5/Splunk-Enterprise/Dynamic-field-extraction-with-regex-syslog-s/m-p/633261#M15584 snix 2023-03-06T14:40:58Z https://community.splunk.com/t5/Splunk-Enterprise/Dynamic-field-extraction-with-regex-syslog-s/m-p/633269#M15586 <P>The <FONT face="courier new,courier">extract</FONT> command is made for that kind of parsing, but it will be tripped up by the extra ":" separators in the timestamp.</P><P>Regex will do the job, however, but there's no special command for it.&nbsp; Assuming the fields are always in the same order then this will do it.</P><LI-CODE lang="markup">| rex "firepower : (?&lt;firepower&gt;[^:]+): EventPriority: (?&lt;EventPriority&gt;\w+), DeviceUUID: (?&lt;DeviceUUID&gt;[^,]+), InstanceID: (?&lt;InstanceID&gt;[^,]+), FirstPacketSecond: (?&lt;FirstPacketSecond&gt;[^,]+), ConnectionID: (?&lt;ConnectionID&gt;[^,]+), AccessControlRuleAction: (?&lt;AccessControlRuleAction&gt;[^,]+), SrcIP: (?&lt;SrcIP&gt;[^,]+), DstIP: (?&lt;DstIP&gt;[^,]+), SrcPort: (?&lt;SrcPort&gt;\d+), DstPort: (?&lt;DstPort&gt;\d+), Protocol: \w+"</LI-CODE><P>If the fields might appear in any order then a separate <FONT face="courier new,courier">rex</FONT> command is needed for each one.</P> Sat, 04 Mar 2023 01:33:10 GMT https://community.splunk.com/t5/Splunk-Enterprise/Dynamic-field-extraction-with-regex-syslog-s/m-p/633269#M15586 richgalloway 2023-03-04T01:33:10Z https://community.splunk.com/t5/Splunk-Enterprise/Dynamic-field-extraction-with-regex-syslog-s/m-p/633481#M15604 <P>Thank you! Yeah I was hoping there was a way to just pull the filed name from the event automatically but for what I need it for right now I just need a few fields.&nbsp;<BR /><BR />Yeah the events seem to vary a bit on what fields are included and not included so I opted to take your second suggestion and spit them up and that worked like a charm:</P><P>&nbsp;</P><LI-CODE lang="markup">| rex "AccessControlRuleAction: (?&lt;AccessControlRuleAction&gt;[^,]+)" | rex "SrcIP: (?&lt;SrcIP&gt;[^,]+)" | rex "DstIP: (?&lt;DstIP&gt;[^,]+)" | rex "DstPort: (?&lt;DstPort&gt;[^,]+)" </LI-CODE><P>&nbsp;</P> Mon, 06 Mar 2023 20:28:34 GMT https://community.splunk.com/t5/Splunk-Enterprise/Dynamic-field-extraction-with-regex-syslog-s/m-p/633481#M15604 snix 2023-03-06T20:28:34Z