https://community.splunk.com/t5/Splunk-Search/Field-extraction-from-checkpoint-log-with-two-hostname-values/m-p/531380#M150098 <P>Hi! im traying to extract a field named hostname from checkpoint logs, but i couldn't with the wizards:</P><P>sample:</P><DIV class="raw-event normal wrap "><SPAN class="t">time=1606760596</SPAN>|<SPAN class="t">hostname=CHKHOST</SPAN>|<SPAN class="t">product=Mobile</SPAN> <SPAN class="t">Access</SPAN>|<SPAN class="t">action=Log</SPAN> <SPAN class="t">In</SPAN>|<SPAN class="t">ifdir=inbound</SPAN>|<SPAN class="t">loguid=</SPAN>{<SPAN class="t">0x5fc53894</SPAN>,<SPAN class="t">0x0</SPAN>,<SPAN class="t">0x250a000a</SPAN>,<SPAN class="t">0x2e9b</SPAN>}|<SPAN class="t">origin=10.0.X.X</SPAN>|<SPAN class="t">originsicname=CN\=FW01</SPAN>,<SPAN class="t">O\=CHKHOST.localdomain</SPAN>|<SPAN class="t">sequencenum=293</SPAN>|<SPAN class="t">time=1606760596</SPAN>|<SPAN class="t">version=5</SPAN>|<SPAN class="t">auth_encryption_methods=AES-256</SPAN> + <SPAN class="t">SHA1</SPAN> + <SPAN class="t">Group</SPAN> <SPAN class="t">2</SPAN>|<SPAN class="t">auth_method=RADIUS</SPAN>|<SPAN class="t">client_build=986100611</SPAN>|<SPAN class="t">client_name=Endpoint</SPAN> <SPAN class="t">Security</SPAN> <SPAN class="t">VPN</SPAN>|<SPAN class="t">client_version=E81.10</SPAN>|<SPAN class="t">cvpn_category=Session</SPAN>|<SPAN class="t">device_identification=</SPAN>{<SPAN class="t">85FAD095-E5AB-43BA-AA8C-B205F783226E</SPAN>}|<SPAN class="t">domain_name=localdomain</SPAN>|<SPAN class="t">event_type=Login</SPAN>|<SPAN class="t">failed_login_factor_num=0</SPAN>|<SPAN class="t">host_ip=192.168.X.X</SPAN>|<SPAN class="t">host_type=PC</SPAN>|<SPAN class="t">hostname=NB-0237</SPAN>|<SPAN class="t">lastupdatetime=1606760596</SPAN>|<SPAN class="t">login_option=Standard</SPAN>|<SPAN class="t">login_timestamp=1606760596</SPAN>|<SPAN class="t">mac_address=40:5b:d8:64:5b:29</SPAN>|<SPAN class="t">methods:=3DES</SPAN> + <SPAN class="t">SHA1</SPAN>|<SPAN class="t">office_mode_ip=10.193.0.89</SPAN>|<SPAN class="t">os_bits=64bit</SPAN>|<SPAN class="t">os_build=18363</SPAN>|<SPAN class="t">os_edition=Enterprise</SPAN>|<SPAN class="t">os_name=Windows</SPAN>|<SPAN class="t">os_version=10</SPAN>|<SPAN class="t">proto=6</SPAN>|<SPAN class="t">proxy_src_ip=0.0.0.0</SPAN>|<SPAN class="t">s_port=0</SPAN>|<SPAN class="t">service=443</SPAN>|<SPAN class="t">session_timeout=43200</SPAN>|<SPAN class="t">session_uid=</SPAN>{<SPAN class="t">5FC53894-0000-0000-0A00-0A259B2E0000</SPAN>}|<SPAN class="t">src=181.121.X.X</SPAN>|<SPAN class="t">status=Success</SPAN>|<SPAN class="t">suppressed_logs=0</SPAN>|<SPAN class="t">tunnel_protocol=IPSec</SPAN>|<SPAN class="t">user=agimenez</SPAN>|<SPAN class="t">user_dn=agimenez</SPAN>|<SPAN class="t h"><SPAN class="t">user_group=VPN</SPAN>_<SPAN class="t">Group|</SPAN></SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">if you see there are two hostname fields, one with the checkpoint hostname and the other with the device connecting to the vpn. I need the second value.</SPAN></SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">In smart mode or verbose mode, splunk only detects the first hostname field.</SPAN></SPAN></DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">How can i parse the second field? Ive tried field extraction wizard with regular expression only selecting the second hostname and i get this error:</SPAN></SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings. </SPAN></SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">When i try using delimieters, selecting pipe, i get this error:</SPAN></SPAN></DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">has exceeded the configured depth_limit, consider raising the value in limits.conf. </SPAN></SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap ">any help would be appreciated.</DIV> Mon, 30 Nov 2020 19:09:54 GMT dieguiariel 2020-11-30T19:09:54Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-from-checkpoint-log-with-two-hostname-values/m-p/531380#M150098 <P>Hi! im traying to extract a field named hostname from checkpoint logs, but i couldn't with the wizards:</P><P>sample:</P><DIV class="raw-event normal wrap "><SPAN class="t">time=1606760596</SPAN>|<SPAN class="t">hostname=CHKHOST</SPAN>|<SPAN class="t">product=Mobile</SPAN> <SPAN class="t">Access</SPAN>|<SPAN class="t">action=Log</SPAN> <SPAN class="t">In</SPAN>|<SPAN class="t">ifdir=inbound</SPAN>|<SPAN class="t">loguid=</SPAN>{<SPAN class="t">0x5fc53894</SPAN>,<SPAN class="t">0x0</SPAN>,<SPAN class="t">0x250a000a</SPAN>,<SPAN class="t">0x2e9b</SPAN>}|<SPAN class="t">origin=10.0.X.X</SPAN>|<SPAN class="t">originsicname=CN\=FW01</SPAN>,<SPAN class="t">O\=CHKHOST.localdomain</SPAN>|<SPAN class="t">sequencenum=293</SPAN>|<SPAN class="t">time=1606760596</SPAN>|<SPAN class="t">version=5</SPAN>|<SPAN class="t">auth_encryption_methods=AES-256</SPAN> + <SPAN class="t">SHA1</SPAN> + <SPAN class="t">Group</SPAN> <SPAN class="t">2</SPAN>|<SPAN class="t">auth_method=RADIUS</SPAN>|<SPAN class="t">client_build=986100611</SPAN>|<SPAN class="t">client_name=Endpoint</SPAN> <SPAN class="t">Security</SPAN> <SPAN class="t">VPN</SPAN>|<SPAN class="t">client_version=E81.10</SPAN>|<SPAN class="t">cvpn_category=Session</SPAN>|<SPAN class="t">device_identification=</SPAN>{<SPAN class="t">85FAD095-E5AB-43BA-AA8C-B205F783226E</SPAN>}|<SPAN class="t">domain_name=localdomain</SPAN>|<SPAN class="t">event_type=Login</SPAN>|<SPAN class="t">failed_login_factor_num=0</SPAN>|<SPAN class="t">host_ip=192.168.X.X</SPAN>|<SPAN class="t">host_type=PC</SPAN>|<SPAN class="t">hostname=NB-0237</SPAN>|<SPAN class="t">lastupdatetime=1606760596</SPAN>|<SPAN class="t">login_option=Standard</SPAN>|<SPAN class="t">login_timestamp=1606760596</SPAN>|<SPAN class="t">mac_address=40:5b:d8:64:5b:29</SPAN>|<SPAN class="t">methods:=3DES</SPAN> + <SPAN class="t">SHA1</SPAN>|<SPAN class="t">office_mode_ip=10.193.0.89</SPAN>|<SPAN class="t">os_bits=64bit</SPAN>|<SPAN class="t">os_build=18363</SPAN>|<SPAN class="t">os_edition=Enterprise</SPAN>|<SPAN class="t">os_name=Windows</SPAN>|<SPAN class="t">os_version=10</SPAN>|<SPAN class="t">proto=6</SPAN>|<SPAN class="t">proxy_src_ip=0.0.0.0</SPAN>|<SPAN class="t">s_port=0</SPAN>|<SPAN class="t">service=443</SPAN>|<SPAN class="t">session_timeout=43200</SPAN>|<SPAN class="t">session_uid=</SPAN>{<SPAN class="t">5FC53894-0000-0000-0A00-0A259B2E0000</SPAN>}|<SPAN class="t">src=181.121.X.X</SPAN>|<SPAN class="t">status=Success</SPAN>|<SPAN class="t">suppressed_logs=0</SPAN>|<SPAN class="t">tunnel_protocol=IPSec</SPAN>|<SPAN class="t">user=agimenez</SPAN>|<SPAN class="t">user_dn=agimenez</SPAN>|<SPAN class="t h"><SPAN class="t">user_group=VPN</SPAN>_<SPAN class="t">Group|</SPAN></SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">if you see there are two hostname fields, one with the checkpoint hostname and the other with the device connecting to the vpn. I need the second value.</SPAN></SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">In smart mode or verbose mode, splunk only detects the first hostname field.</SPAN></SPAN></DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">How can i parse the second field? Ive tried field extraction wizard with regular expression only selecting the second hostname and i get this error:</SPAN></SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings. </SPAN></SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">When i try using delimieters, selecting pipe, i get this error:</SPAN></SPAN></DIV><DIV class="raw-event normal wrap "><SPAN class="t h"><SPAN class="t">has exceeded the configured depth_limit, consider raising the value in limits.conf. </SPAN></SPAN></DIV><DIV class="raw-event normal wrap ">&nbsp;</DIV><DIV class="raw-event normal wrap ">any help would be appreciated.</DIV> Mon, 30 Nov 2020 19:09:54 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-from-checkpoint-log-with-two-hostname-values/m-p/531380#M150098 dieguiariel 2020-11-30T19:09:54Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-from-checkpoint-log-with-two-hostname-values/m-p/531389#M150099 <P>Try using rex.</P><LI-CODE lang="markup">... | rex max_match=2 "hostname=(?&lt;hostname&gt;[^\|]+)" | eval hostname=mvindex(hostname,1) ...</LI-CODE> Mon, 30 Nov 2020 19:27:31 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-from-checkpoint-log-with-two-hostname-values/m-p/531389#M150099 richgalloway 2020-11-30T19:27:31Z https://community.splunk.com/t5/Splunk-Search/Field-extraction-from-checkpoint-log-with-two-hostname-values/m-p/531394#M150103 <P>Thank you!!! it works perfectly!</P> Mon, 30 Nov 2020 19:56:09 GMT https://community.splunk.com/t5/Splunk-Search/Field-extraction-from-checkpoint-log-with-two-hostname-values/m-p/531394#M150103 dieguiariel 2020-11-30T19:56:09Z