https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492422#M137362 <P>Hello,</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8846i103D2788186F1E14/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Attached here the list of roles we have. But my regular expression is showing results of only RSI - VPN Users but not all the other roles.</P> <PRE><CODE>rex "^[^\)\n]*\)\[(?P\w+\s+\-\s+\w+\s+\w+)]" </CODE></PRE> <P>Can you please help me here?</P> <P>Entire Query:</P> <PRE><CODE>index=juniperindex | rex "(?P\w+\s+\d+)\s+(?P\d+:\d+:\d+)\s?+(?P\d+\.\d+\.\d+\.\d+)\s+(?P\d+-\d+-\d+T\d+:\d+:\d+-\d+:\d+)\s+(?P[[:graph:]]+)\s+\w+:\s+\d+-\d+-\d+\s+\d+:\d+:\d+\s+-\s+\w++\s+-\s+\[(?P\d+\.\d+\.\d+\.\d+)\]\s+(?P\w+)\((?P[[:graph:]]+)\)\[\]\s+-\s+(?P.+)" | rex "^[^\)\n]*\)\[(?P\w+\s+\-\s+\w+\s+\w+)" | rex "^(?:[^'\n]*'){7}(?P\w+)]" | rex "host\s+\'(?P[[:graph:]]+)\'" | rex "address\s+\'(?P[[:graph:]]+)\'" | rex "for\s+user\s+\'(?P[[:alnum:]]+)\'" | rex "reason\s+\'(?P[[:print:]]+)\'" | rex "^(?:[^'\n]*'){2}\s+(?P\w+)" | search status=failed OR status=passed | replace "passed" with successful in status | dedup user_name | table _time IP MAC user_name status user_group </CODE></PRE> Fri, 08 May 2020 07:10:59 GMT vasuparvatham 2020-05-08T07:10:59Z https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492422#M137362 <P>Hello,</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/8846i103D2788186F1E14/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>Attached here the list of roles we have. But my regular expression is showing results of only RSI - VPN Users but not all the other roles.</P> <PRE><CODE>rex "^[^\)\n]*\)\[(?P\w+\s+\-\s+\w+\s+\w+)]" </CODE></PRE> <P>Can you please help me here?</P> <P>Entire Query:</P> <PRE><CODE>index=juniperindex | rex "(?P\w+\s+\d+)\s+(?P\d+:\d+:\d+)\s?+(?P\d+\.\d+\.\d+\.\d+)\s+(?P\d+-\d+-\d+T\d+:\d+:\d+-\d+:\d+)\s+(?P[[:graph:]]+)\s+\w+:\s+\d+-\d+-\d+\s+\d+:\d+:\d+\s+-\s+\w++\s+-\s+\[(?P\d+\.\d+\.\d+\.\d+)\]\s+(?P\w+)\((?P[[:graph:]]+)\)\[\]\s+-\s+(?P.+)" | rex "^[^\)\n]*\)\[(?P\w+\s+\-\s+\w+\s+\w+)" | rex "^(?:[^'\n]*'){7}(?P\w+)]" | rex "host\s+\'(?P[[:graph:]]+)\'" | rex "address\s+\'(?P[[:graph:]]+)\'" | rex "for\s+user\s+\'(?P[[:alnum:]]+)\'" | rex "reason\s+\'(?P[[:print:]]+)\'" | rex "^(?:[^'\n]*'){2}\s+(?P\w+)" | search status=failed OR status=passed | replace "passed" with successful in status | dedup user_name | table _time IP MAC user_name status user_group </CODE></PRE> Fri, 08 May 2020 07:10:59 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492422#M137362 vasuparvatham 2020-05-08T07:10:59Z https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492423#M137363 <P>can you please help me with a single regular expression to cut below format of entries in the log file:</P> <P>Example:</P> <P>Consultants Special Access<BR /> Contractors Windows Users Special Access<BR /> PulseSAMRole<BR /> RSI - GIB Users<BR /> RSI - IT Desktop Users<BR /> RSI - ORA Devtrack<BR /> RSI - VPN ArchiveContractor Users<BR /> RSI - VPN Contractor Mac Users<BR /> RSI - VPN Contractor Users<BR /> RSI - VPN Contractor Users(Pulse)<BR /> RSI - VPN ITSecurity Users<BR /> <EM>RSI - VPN Users</EM><BR /> test<BR /> Users<BR /> VPN Contractor Pulse</P> <P>Many thanks in advance.</P> Fri, 08 May 2020 07:47:20 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492423#M137363 vasuparvatham 2020-05-08T07:47:20Z https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492424#M137364 <P>You can try this:</P> <PRE><CODE>^(Con.+ess|Pul.+ole|RSI.+|VPN.+ulse|test|Users) </CODE></PRE> <P>Made a few tweaks with your data here. You can try and test it with more data.</P> <PRE><CODE><A href="https://regex101.com/r/NFBLP2/1" target="test_blank">https://regex101.com/r/NFBLP2/1</A> </CODE></PRE> <P>Let me know if it helps.</P> Fri, 08 May 2020 10:59:03 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492424#M137364 shivanshu1593 2020-05-08T10:59:03Z https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492425#M137365 <P>thank you.</P> <P>Can you please help me with the syntax for creating a tab called "user_group" and include this regular expression?</P> <P>ex: | rex </P> <P>Thanks in advance.</P> Wed, 13 May 2020 09:20:10 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492425#M137365 vasuparvatham 2020-05-13T09:20:10Z https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492426#M137366 <P>Maybe this can help:</P> <PRE><CODE>| rex field=_raw "(?&lt;user_group&gt;^(Con.+ess|Pul.+ole|RSI.+|VPN.+ulse|test|Users)" </CODE></PRE> Wed, 13 May 2020 09:36:11 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492426#M137366 shivanshu1593 2020-05-13T09:36:11Z https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492427#M137367 <P>i will try this today and come back in case of any queries. thanks lot.</P> Wed, 13 May 2020 09:55:46 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492427#M137367 vasuparvatham 2020-05-13T09:55:46Z https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492428#M137368 <P>No worries. If it worked, please accept this as the answer, so that it may help others in the future, should they run into a similar kind of issue.</P> Thu, 14 May 2020 11:42:05 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Regular-Expression/m-p/492428#M137368 shivanshu1593 2020-05-14T11:42:05Z