topic Re: Field Extraction : regex works fine with search using &quot;rex&quot; command but not with Field extraction in Splunk Search https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548779#M155688 <P>Only "RULE_NAME" seems to be correctly extracted by default (see attachment), i don't know why...</P> Wed, 21 Apr 2021 13:08:19 GMT Flo-Paris 2021-04-21T13:08:19Z Field Extraction : regex works fine with search using "rex" command but not with Field extraction https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548777#M155686 <P>Hello,</P><P>I'm trying to analyze WatchGuard firewall logs received by Splunk using syslog on udp 514 port.</P><P>I was able to find a well working regex to use in a search using the following rex command in order to extract needed fields :</P><P>*<BR />| rex field=_raw ".*\s(?&lt;HOSTNAME&gt;\S+)\s(?&lt;PROCESS&gt;\S+):\s.*\s(?&lt;DISPOSITION&gt;(Allow|Deny))\s(?&lt;SRC_INT&gt;\S+)\s(?&lt;DST_INT&gt;\S+)\s.*(?&lt;PR&gt;(icmp|igmp|tcp|udp)).*\s(?&lt;SRC_IP&gt;[[octet]](?:\.[[octet]]){3})\s(?&lt;DST_IP&gt;[[octet]](?:\.[[octet]]){3})\s(?&lt;SRC_PORT&gt;\d{1,5})\s(?&lt;DST_PORT&gt;\d{1,5})\s.*\((?P&lt;RULE_NAME&gt;.*)?(-00)\)$"<BR />| table HOSTNAME,PROCESS,DISPOSITION,SRC_INT,DST_INT,PR,SRC_IP,DST_IP,SRC_PORT,DST_PORT,RULE_NAME</P><P>&nbsp;</P><P>Result is a table as we can see in attachment.</P><P>Now, in order to optimize all of that, i would like to be able to extract all these fields automatically without having the need to use a rex command in each search i run...</P><P>i tryed using the Splunk Field extraction wizard, both using the automatic regex generator and by copy paste my search regex, but no success...</P><P>i suppose i missed something somewhere ?</P><P>thanks for your help</P><P>Florent</P><P>&nbsp;</P> Wed, 21 Apr 2021 13:03:42 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548777#M155686 Flo-Paris 2021-04-21T13:03:42Z Re: Field Extraction : regex works fine with search using "rex" command but not with Field extraction https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548778#M155687 <P>Exemple of original log received :</P><P><SPAN class="t">Apr</SPAN> <SPAN class="t">21</SPAN> <SPAN class="t">15:04:33</SPAN> <SPAN class="t">10.40.1.254</SPAN> <SPAN class="t">Apr</SPAN> <SPAN class="t">21</SPAN> <SPAN class="t">15:04:33</SPAN> <SPAN class="t">FRPARXXX0001.mydomain.local</SPAN>&nbsp;<SPAN class="t">firewall:</SPAN> <SPAN class="t">msg_id=</SPAN><SPAN>"</SPAN><SPAN class="t">3000-0151</SPAN><SPAN>" </SPAN><SPAN class="t">Allow</SPAN> <SPAN class="t">Firebox</SPAN> <SPAN class="t">EXT-FIBER-XXX-100</SPAN> <SPAN class="t">udp</SPAN> <SPAN class="t">1XX.XXX.XXX.1</SPAN> <SPAN class="t">1.XXX.XXX.10</SPAN> <SPAN class="t">39010</SPAN> <SPAN class="t">53</SPAN> <SPAN class="t">dst_user=</SPAN><SPAN>"</SPAN><SPAN class="t">administrator@mydomain.local</SPAN><SPAN>" </SPAN><SPAN class="t">duration=</SPAN><SPAN>"</SPAN><SPAN class="t">32</SPAN><SPAN>" </SPAN><SPAN class="t">sent_bytes=</SPAN><SPAN>"</SPAN><SPAN class="t">68</SPAN><SPAN>" </SPAN><SPAN class="t">rcvd_bytes=</SPAN><SPAN>"</SPAN><SPAN class="t">128</SPAN><SPAN>" (</SPAN><SPAN class="t">Any</SPAN> <SPAN class="t">From</SPAN> <SPAN class="t">Firebox-00)</SPAN></P> Wed, 21 Apr 2021 13:06:16 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548778#M155687 Flo-Paris 2021-04-21T13:06:16Z Re: Field Extraction : regex works fine with search using "rex" command but not with Field extraction https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548779#M155688 <P>Only "RULE_NAME" seems to be correctly extracted by default (see attachment), i don't know why...</P> Wed, 21 Apr 2021 13:08:19 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548779#M155688 Flo-Paris 2021-04-21T13:08:19Z Re: Field Extraction : regex works fine with search using "rex" command but not with Field extraction https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548780#M155689 <P>Even if Splunk field extraction wizard seems to match my fields already...</P> Wed, 21 Apr 2021 13:15:01 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548780#M155689 Flo-Paris 2021-04-21T13:15:01Z Re: Field Extraction : regex works fine with search using "rex" command but not with Field extraction https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548782#M155691 <P>Here are my existing Field Extractions in the Splunk Settings / Fields / Field Extractions menu</P> Wed, 21 Apr 2021 13:17:46 GMT https://community.splunk.com/t5/Splunk-Search/Field-Extraction-regex-works-fine-with-search-using-quot-rex/m-p/548782#M155691 Flo-Paris 2021-04-21T13:17:46Z