https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57776#M14107 <P>Hi,</P> <P>I have just installed Splunk as want to get some reports out of a Barracuda Spam firewall we have installed that sends all data to a syslog server. I have installed Splunk on the same machine as syslog so getting the file imported was easy.</P> <P>The problem I am having is with trying to extract fields from the data as I can't seem to 'teach' the system the correct regex.</P> <P>The following is an example line from syslog (anonomiyzed obviously):</P> <PRE><CODE>Sep 24 15:34:59 192.168.0.1 inbound/pass1[26165]: 114-38-48-47.dynamic.hinet.net[114.38.48.47] 1285338898-663591fe0001-1ljPNx 1285338898 1285338899 RECV sender@domain.com receiver@domain.com 2 62 114.38.48.47 </CODE></PRE> <P>The data can be totally different which is why Splunk seems to have a problem with it, but the data is always in the same order:</P> <PRE><CODE>Timestamp: Sep 24 15:34:59 Host: 192.168.0.1 Process: inbound/pass1[26165]: Sender: 114-38-48-47.dynamic.hinet.net[114.38.48.47] MessageID: 1285338898-663591fe0001-1ljPNx StartTime: 1285338898 EndTime: 1285338899 Service: RECV From: sender@domain.com To: receiver@domain.com ActionCode: 2 ReasonCode: 62 SenderIP: 114.38.48.47 </CODE></PRE> <P>It was all going well until I got to the ActionCode!</P> <P>There is always whitespace between the 'parts' so am sure it is just a matter of getting the regex correct but am struggling.</P> <P>Would appreciate some help.</P> <P>Thanks.</P> <P>Pete.</P> Fri, 24 Sep 2010 21:46:12 GMT pshankland 2010-09-24T21:46:12Z https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57776#M14107 <P>Hi,</P> <P>I have just installed Splunk as want to get some reports out of a Barracuda Spam firewall we have installed that sends all data to a syslog server. I have installed Splunk on the same machine as syslog so getting the file imported was easy.</P> <P>The problem I am having is with trying to extract fields from the data as I can't seem to 'teach' the system the correct regex.</P> <P>The following is an example line from syslog (anonomiyzed obviously):</P> <PRE><CODE>Sep 24 15:34:59 192.168.0.1 inbound/pass1[26165]: 114-38-48-47.dynamic.hinet.net[114.38.48.47] 1285338898-663591fe0001-1ljPNx 1285338898 1285338899 RECV sender@domain.com receiver@domain.com 2 62 114.38.48.47 </CODE></PRE> <P>The data can be totally different which is why Splunk seems to have a problem with it, but the data is always in the same order:</P> <PRE><CODE>Timestamp: Sep 24 15:34:59 Host: 192.168.0.1 Process: inbound/pass1[26165]: Sender: 114-38-48-47.dynamic.hinet.net[114.38.48.47] MessageID: 1285338898-663591fe0001-1ljPNx StartTime: 1285338898 EndTime: 1285338899 Service: RECV From: sender@domain.com To: receiver@domain.com ActionCode: 2 ReasonCode: 62 SenderIP: 114.38.48.47 </CODE></PRE> <P>It was all going well until I got to the ActionCode!</P> <P>There is always whitespace between the 'parts' so am sure it is just a matter of getting the regex correct but am struggling.</P> <P>Would appreciate some help.</P> <P>Thanks.</P> <P>Pete.</P> Fri, 24 Sep 2010 21:46:12 GMT https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57776#M14107 pshankland 2010-09-24T21:46:12Z https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57777#M14108 <P>Can you post the regex you tried?</P> Fri, 24 Sep 2010 22:26:19 GMT https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57777#M14108 christopherutz 2010-09-24T22:26:19Z https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57778#M14109 <PRE><CODE>\w+ \d+ \d{2}:\d{2}:\d{2} (?&lt;host&gt;[0-9.]+)\s+(?&lt;process&gt;\S+)\s+(?&lt;sender&gt;\S+)\s+(?&lt;msgid&gt;\S+)\s+(?&lt;starttime&gt;\d+)\s+(?&lt;endtime&gt;\d+)\s+(?&lt;service&gt;\S+)\s+(?&lt;from&gt;\S+)\s+(?&lt;to&gt;\S+)\s+(?&lt;actioncode&gt;\S+)\s+(?&lt;reasoncode&gt;\S+)\s+(?&lt;senderip&gt;[0-9.]+) </CODE></PRE> Sat, 25 Sep 2010 00:43:14 GMT https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57778#M14109 twinspop 2010-09-25T00:43:14Z https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57779#M14110 <P>Does it always log a single To address, or can you have multiple entries?</P> Sat, 25 Sep 2010 00:59:03 GMT https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57779#M14110 southeringtonp 2010-09-25T00:59:03Z https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57780#M14111 <P>Thanks for the replies.</P> <P>Just to explain what I am trying...</P> <P>I am in the Search window and then click next to one of the entries and select "Extract Fields". I have then highlighted the bit I want to extract and dragged it into the Example Values box. Finally, I have then gone through deleting the sample extractions that were wrong.</P> <P>A pattern never correctly generates as the figures are so small, this is why I thought RegEx would be the correct way to look at the issue.</P> <P>Twinspop - could you let me know where I should be using the regex as assumed it would have been when extracting but that just failed <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>Thanks.</P> Tue, 28 Sep 2010 23:07:34 GMT https://community.splunk.com/t5/Splunk-Search/Regex-data-from-its-position-in-string/m-p/57780#M14111 pshankland 2010-09-28T23:07:34Z