Extracting multiple fields from comma separated log

ptur — Tue, 29 Sep 2020 13:57:07 GMT

Hello,

Can someone help me to build a table report by extracting 3 fields from a comma separated log:

Here's a log example:

2017-05-03 13:30:36 User.Error 10.40.11.241 2017-05-03 17:30:35,987, , audit.runtime.com.rsa.authmgr.internal.protocol.ace.AuthV4RequestHandler, ERROR, eec1c356f110280a7888f02ad5a2b3e9,1336c44ff110280a0801a35a997a135e,10.40.11.11,10.40.16.241,AUTH_PRINCIPAL_RESOLUTION,23008,FAIL,AUTH_RESOLUTION_FAILED_BY_ID_ALIAS,,,,,ptr555,,,1c0931660610330a1a1eb51b527f5700,000000000000000000001000e0011000,10.40.18.73,njx-domain..net,1,,,,,,,1,,,,,,,,

desired result would be a table with a result:

ptr555|FAIL|AUTH_RESOLUTION_FAILED_BY_ID_ALIAS

Thanks!

Re: Extracting multiple fields from comma separated log

cpetterborg — Fri, 05 May 2017 01:18:50 GMT

Assuming that any one of the fills could have values, but non having an embedded comma, this should work to get your three fields:

_your_search_ | rex "^([^,]*?,){11}(?P<a>[^,]+),(?P<b>[^,]*),([^,]*?,){4}(?P<c>[^,]+)," | table c, a, b

Try this out and see if you get the fields the way you want them. It worked for me with the one line example data you included. I don't know what your table headings would be, so I just used a, b and c. You can change that for your search.

topic Re: Extracting multiple fields from comma separated log in Splunk Search

Extracting multiple fields from comma separated log

Re: Extracting multiple fields from comma separated log