https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682257#M113982 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258346">@meetmshah</a>&nbsp;</P><P>not working as expected.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sushraw_0-1711621500691.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29929iC936C6255B2F4995/image-size/medium?v=v2&amp;px=400" role="button" title="sushraw_0-1711621500691.png" alt="sushraw_0-1711621500691.png" /></span></P><P><BR />search :- log_type=Passed_Authentications MESSAGE_TEXT="Command Authorization succeeded"&nbsp; | rex field=CmdSet max_match=0 "CmdAV=(?&lt;Command&gt;[^\s]+)|\sCmdArgAV=(?&lt;Command1&gt;[^\s]+)" | makemv delim="," allowempty=t Command1 | table _time,Command,Command1</P> Thu, 28 Mar 2024 10:27:42 GMT sushraw 2024-03-28T10:27:42Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682126#M113960 <P>Hello all,</P><P>can someone help me to to extract field 'CmdSet' from cisco ISE accouting logs. string : '[ CmdAV=show CmdArgAV=license CmdArgAV=usage CmdArgAV=&lt;cr&gt; ]'</P> Wed, 27 Mar 2024 16:31:25 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682126#M113960 sushraw 2024-03-27T16:31:25Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682129#M113961 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266356">@sushraw</a>, Can you please share sample events in order to create the regex? Sample event along with the field value that you want to extract.</P> Wed, 27 Mar 2024 17:11:41 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682129#M113961 meetmshah 2024-03-27T17:11:41Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682134#M113962 <P>TACACS event:</P><P>Mar 26 15:37:59 &lt;device_IP&gt; &lt;device_name&gt;_Passed_Authentications 0045846127 2 0 2024-03-26 14:37:59.011 +00:00 06024423114 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=1398, Device IP Address=&lt;device_IP&gt;, DestinationIPAddress=&lt;device_IP&gt;, DestinationPort=49, UserName=&lt;user&gt;, <STRONG>CmdSet=[ CmdAV=show CmdArgAV=running-config CmdArgAV=interface CmdArgAV=Ethernet1/19 CmdArgAV=&lt;cr&gt; ]</STRONG>, Protocol=Tacacs, MatchedCommandSet=Unsafecommand, RequestLatency=10, NetworkDeviceName=&lt;device_name&gt;</P> Wed, 27 Mar 2024 17:24:30 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682134#M113962 sushraw 2024-03-27T17:24:30Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682135#M113963 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266356">@sushraw</a>, Can you please try below -&nbsp;</P><LI-CODE lang="markup">| rex field=_raw "CmdSet=\[(?&lt;CmdSet&gt;[^\]]+)\]"</LI-CODE><P>The above should extract&nbsp;CmdSet from the events.</P><P>If it looks good, you can write search time field extraction to extract the field&nbsp;CmdSet automatically.</P><P>Please accept the solution and hit Karma, if this helps!</P> Wed, 27 Mar 2024 17:28:57 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682135#M113963 meetmshah 2024-03-27T17:28:57Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682146#M113964 <P>Hello <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258346">@meetmshah</a>&nbsp;</P><P>i would like to thank you for your reply.</P><P>but i am looking to extract '<STRONG>CmdSet</STRONG>' field.</P><P>i am using 'rex field=CmdSet "CmdAV=(?&lt;Command&gt;[^\s]+)|\sCmdArgAV=(?&lt;Command1&gt;[^\s]+)" '</P><P>but it is giving output till 1st CmdArgAV value</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sushraw_0-1711561368589.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29916i1FDF1414D53FFDC3/image-size/medium?v=v2&amp;px=400" role="button" title="sushraw_0-1711561368589.png" alt="sushraw_0-1711561368589.png" /></span></P><P>&nbsp;</P> Wed, 27 Mar 2024 17:51:47 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682146#M113964 sushraw 2024-03-27T17:51:47Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682149#M113965 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266356">@sushraw</a>, Can you please try below -&nbsp;</P><LI-CODE lang="markup">| rex field=_raw "CmdSet=\[(?&lt;CmdSet&gt;[^\]]+)\]" | rex field=CmdSet "CmdArgAV=(?&lt;CmdArgAV&gt;[^\s]+)"</LI-CODE><P>&nbsp;</P><P>Please accept the solution and hit Karma, if this helps!&nbsp;</P> Wed, 27 Mar 2024 18:03:16 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682149#M113965 meetmshah 2024-03-27T18:03:16Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682153#M113966 <P>hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258346">@meetmshah</a>&nbsp;</P><P>thanks for your reply. but not working as expected</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sushraw_0-1711563353180.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29917i52E49307930F061D/image-size/medium?v=v2&amp;px=400" role="button" title="sushraw_0-1711563353180.png" alt="sushraw_0-1711563353180.png" /></span></P><P>&nbsp;</P> Wed, 27 Mar 2024 18:16:20 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682153#M113966 sushraw 2024-03-27T18:16:20Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682155#M113967 <P>Oh we will need to add&nbsp;<SPAN>max_match=0 in rex. Example below -&nbsp;</SPAN></P><LI-CODE lang="markup">| rex field=_raw "CmdSet=\[(?&lt;CmdSet&gt;[^\]]+)\]" | rex field=CmdSet max_match=0 "CmdArgAV=(?&lt;CmdArgAV&gt;[^\s]+)"</LI-CODE><P>Can you please have a check and me know how it goes?</P> Wed, 27 Mar 2024 18:24:06 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682155#M113967 meetmshah 2024-03-27T18:24:06Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682224#M113975 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258346">@meetmshah</a>thanks 'max_match=0' helped.</P><P>but command keywords are separated by 'Enter'. is there any options to keep all words in one line?</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sushraw_0-1711598829000.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29927i74E809EE11E7DD71/image-size/medium?v=v2&amp;px=400" role="button" title="sushraw_0-1711598829000.png" alt="sushraw_0-1711598829000.png" /></span></P><P>&nbsp;</P> Thu, 28 Mar 2024 04:08:28 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682224#M113975 sushraw 2024-03-28T04:08:28Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682227#M113976 <P>Can you please try appending below -&nbsp;</P><LI-CODE lang="markup">| makemv delim="," allowempty=t CmdArgAV</LI-CODE><P>&nbsp;</P><P>Please accept the solution and hit Karma, if this helps!</P> Thu, 28 Mar 2024 05:22:36 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682227#M113976 meetmshah 2024-03-28T05:22:36Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682257#M113982 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/258346">@meetmshah</a>&nbsp;</P><P>not working as expected.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sushraw_0-1711621500691.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29929iC936C6255B2F4995/image-size/medium?v=v2&amp;px=400" role="button" title="sushraw_0-1711621500691.png" alt="sushraw_0-1711621500691.png" /></span></P><P><BR />search :- log_type=Passed_Authentications MESSAGE_TEXT="Command Authorization succeeded"&nbsp; | rex field=CmdSet max_match=0 "CmdAV=(?&lt;Command&gt;[^\s]+)|\sCmdArgAV=(?&lt;Command1&gt;[^\s]+)" | makemv delim="," allowempty=t Command1 | table _time,Command,Command1</P> Thu, 28 Mar 2024 10:27:42 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682257#M113982 sushraw 2024-03-28T10:27:42Z https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682489#M113995 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/266356">@sushraw</a>&nbsp;</P><P>Can you please try appending below -&nbsp;</P><LI-CODE lang="markup">| makemv CmdArgAV | eval CmdArgAV = replace(CmdArgAV, "\n", ", ")</LI-CODE><P>&nbsp;</P><P>The final results based on the sample event you shared would be -</P><LI-CODE lang="markup">| makeresults | eval _raw="Mar 26 15:37:59 &lt;device_IP&gt; &lt;device_name&gt;_Passed_Authentications 0045846127 2 0 2024-03-26 14:37:59.011 +00:00 06024423114 5202 NOTICE Device-Administration: Command Authorization succeeded, ConfigVersionId=1398, Device IP Address=&lt;device_IP&gt;, DestinationIPAddress=&lt;device_IP&gt;, DestinationPort=49, UserName=&lt;user&gt;, CmdSet=[ CmdAV=show CmdArgAV=running-config CmdArgAV=interface CmdArgAV=Ethernet1/19 CmdArgAV=&lt;cr&gt; ], Protocol=Tacacs, MatchedCommandSet=Unsafecommand, RequestLatency=10, NetworkDeviceName=&lt;device_name&gt;" | rex field=_raw "CmdSet=\[(?&lt;CmdSet&gt;[^\]]+)\]" | rex field=CmdSet max_match=0 "CmdArgAV=(?&lt;CmdArgAV&gt;[^\s]+)" | makemv CmdArgAV | eval CmdArgAV = replace(CmdArgAV, "\n", ", ")</LI-CODE><P>&nbsp;</P><P>Below screenshot for your reference -</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="KothariSurbhi_0-1711809498250.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/29969iBCED06DAEE4F46E0/image-size/medium?v=v2&amp;px=400" role="button" title="KothariSurbhi_0-1711809498250.png" alt="KothariSurbhi_0-1711809498250.png" /></span></P><P><SPAN>If this reply helps you, Karma would be appreciated.</SPAN></P> Sat, 30 Mar 2024 14:39:10 GMT https://community.splunk.com/t5/Getting-Data-In/add-regular-expression-for-cisco-ISE-accounting-logs-CmdAV-show/m-p/682489#M113995 KothariSurbhi 2024-03-30T14:39:10Z