topic Fetch the data from the fields which has 2 words in the field name using regular expression? in Splunk Search

Fetch the data from the fields which has 2 words in the field name using regular expression?

khojas02 — Tue, 31 Mar 2020 00:48:57 GMT

I have an event as below:

Mar 30 16:59:08 vg1 : %ASA-4-113019: Group = EMPLOYEE, Username = roys86, IP = ...**, Session disconnected. Session Type: SSL, Duration: 7h:18m:21s, Bytes xmt: 408659006, Bytes rcv: 162000348, Reason: User Requested

Now, I would like to fetch the values for the fields Session Type, Duration, Bytes xmt, Bytes rcv, Reason

I would also like to rename some the fields after fetching the data. Thanks in advance!!

Re: Fetch the data from the fields which has 2 words in the field name using regular expression?

woodcock — Tue, 31 Mar 2020 02:01:50 GMT

Like this:

... | rex "Session\sType:\s*(?<session_type>\S+),\s+Duration:\s*(?<duration>\S+),\s*Bytes xmt:\s*(?<bytes_xmt>\d+),\s*Bytes rcv:\s*(?<bytes_rcv>\d+),\s*Reason:\s*(?<reason>.*)" ...

Re: Fetch the data from the fields which has 2 words in the field name using regular expression?

khojas02 — Tue, 31 Mar 2020 20:35:10 GMT

Thank you for your response. This has worked for me, however my events got changed now as below:

Mar 31 13:21:29 vg1 : %ASA-4-113019: Group = EMPLOYEE, Username = VAZQUD68, IP = 162.228.72.102, Session disconnected. Session Type: SSL, Duration: 1h:06m:28s, Bytes xmt: 17586992, Bytes rcv: 6595282, Reason: Idle Timeout

Can you help me fetch the valules for Group, Username, IP, Session Type, Duration, Bytes xmt, Bytes rcv, Reason? Also, I would like to fetch "vg1" value that can go into the column name "Host".

Thanks in advance!!

Re: Fetch the data from the fields which has 2 words in the field name using regular expression?

woodcock — Tue, 31 Mar 2020 20:57:53 GMT

Te pattern in my answer is very easy to extend; give it a try and you will learn something!