topic Re: How do you extract multiple substrings from the following events? in Splunk Search

How do you extract multiple substrings from the following events?

atul9771 — Tue, 04 Dec 2018 23:43:16 GMT

I'm new to splunk.

I have a log event in the following format. The report should capture the Hostname, Agentname and Resource. Also, I'd like to remove the duplicate entries.
[Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource]
[TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name]

and log entry example is below

AuthAccept Hostname [03/Dec/2018:17:43:06 -0600] "ClientIP UserDN" "Agentname GET /WMT_Logon/Account/LogOn?ViewFlag=false" [idletime=1800;maxtime=603603054;authlevel=5;] [0]  [] []
CN =    FirstName LastName host =   HostName source =   c:\Program Files (x86)\ca\siteminder\log\smaccess-dotoksm03pv.log sourcetype =  smaccess

I want hostname, Agentname, Resource and Resource in above example is /WMT_Logon/Account/LogOn?ViewFlag=false. But could be different for every event.

I appreciate any help writing this search string. Thanks

Re: How do you extract multiple substrings from the following events?

nagarjuna280 — Wed, 05 Dec 2018 02:09:58 GMT

try this

index=* host=* sourcetype = smaccess | rex field=_raw "\w+\s+(?P[^\s]+)([^\]]+)\]\s\"(?P[^\"]+)\"\s\"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^\"]+)\""  
 | table Hostname, Agentname  Resource | dedup Hostname, Agentname  Resource

Re: How do you extract multiple substrings from the following events?

atul9771 — Wed, 05 Dec 2018 03:48:52 GMT

Thanks nagarjuna280 for your answer but I got the following error
Regex: unrecognized character after (?P and error entry in the log file is

12-04-2018 21:43:51.453 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'rex' command: Encountered the following error while compiling the regex '\w+\s+(?P[^\s]+)([^]]+)]\s"(?P[^"]+)"\s"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^"]+)"': Regex: unrecognized character after (?P

Re: How do you extract multiple substrings from the following events?

atul9771 — Wed, 05 Dec 2018 05:44:35 GMT

I figure out the error, Instead of P , you need to put actual field name. here is final syntax. Thanks for your help
(?[^\s]+)([^]]+)]\s\"(?[^\"]+)\"\s\"(?[^\s]+)\s(?[^\s]+)\s(?[^\"]+)

Re: How do you extract multiple substrings from the following events?

nagarjuna280 — Wed, 05 Dec 2018 06:09:15 GMT

this site is hiding some characters, that is why you are not able to see the whole regex (fieldnames),

look at this https://www.regular-expressions.info/refext.html , you can see named capturing groups (3 ways)