https://community.splunk.com/t5/Splunk-Search/Regex-for-Dell-Quest-TPAM-logs/m-p/304466#M91529 <P>Hey @plarsenDST, can you accept the Answer if it worked? You and Rich will both receive karma points that way! </P> Tue, 29 Aug 2017 19:37:28 GMT lfedak_splunk 2017-08-29T19:37:28Z https://community.splunk.com/t5/Splunk-Search/Regex-for-Dell-Quest-TPAM-logs/m-p/304463#M91526 <P>Has anyone done any work with Dell/Quest TPAM logs? Not enough experience with regex to know where to start.</P> <P>As an example for UserName: sometimes it is one word sometimes it is two words so having Splunk Build the regex does not work real well.</P> <P>Trying to learn so what kind of Regex will take next word or two words before it see's another word with a trailing colon: which would be the next key pair, like Operation: or ObjectType: in the log examples below. </P> <P>Aug 22 03:41:41 TPAMHOST1 PAR[72]: Source: TPAMCONSOLE UserName: <STRONG>Automation Engine</STRONG> Operation: Timed Out ObjectType: Authenticated Session Target: id12345 Role: N/A Failed? 0 OtherInfo: Inactive for 40 minutes</P> <P>Aug 22 03:29:19 TPAMHOST1 PAR[61]: Source: TPAMCONSOLE UserName: <STRONG>id12345</STRONG> Operation: Logout ObjectType: Authentication Target: id12345 Role: N/A Failed? 0 OtherInfo: Inactive for 14 seconds. From address 10.10.10.10</P> Tue, 29 Aug 2017 12:43:17 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-Dell-Quest-TPAM-logs/m-p/304463#M91526 plarsenDST 2017-08-29T12:43:17Z https://community.splunk.com/t5/Splunk-Search/Regex-for-Dell-Quest-TPAM-logs/m-p/304464#M91527 <P>Use the keyword that follows as a delimiter. See if this regex helps.</P> <PRE><CODE>Source:\s(?&lt;Source&gt;.*?)\sUserName:\s(?&lt;UserName&gt;.*?)\sOperation:\s(?&lt;Operation&gt;.*?)\sObjectType:\s(?&lt;ObjectType&gt;.*?)\sTarget:(?&lt;Target&gt;.*?)\sRole:\s(?&lt;Role&gt;.*?)\sFailed\?(?&lt;Failed&gt;.*?)\sOtherInfo:\s(?&lt;OtherInfo&gt;.*) </CODE></PRE> Tue, 29 Aug 2017 15:54:40 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-Dell-Quest-TPAM-logs/m-p/304464#M91527 richgalloway 2017-08-29T15:54:40Z https://community.splunk.com/t5/Splunk-Search/Regex-for-Dell-Quest-TPAM-logs/m-p/304465#M91528 <P>Thanks for the help.</P> <P>Removed the <CODE>\sFailed\?(?&lt;Failed&gt;.*?)</CODE> part as that was the Role: value. So the rest is as you provided which seems to be doing what it is supposed to.</P> <P>Thanks again.</P> <PRE><CODE>Source:\s(?&lt;Source&gt;.*?)\sUserName:\s(?&lt;UserName&gt;.*?)\sOperation:\s(?&lt;Operation&gt;.*?)\sObjectType:\s(?&lt;ObjectType&gt;.*?)\sTarget:(?&lt;Target&gt;.*?)\sRole:\s(?&lt;Role&gt;.*?)\sOtherInfo:\s(?&lt;OtherInfo&gt;.*) </CODE></PRE> Tue, 29 Aug 2017 18:32:35 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-Dell-Quest-TPAM-logs/m-p/304465#M91528 plarsenDST 2017-08-29T18:32:35Z https://community.splunk.com/t5/Splunk-Search/Regex-for-Dell-Quest-TPAM-logs/m-p/304466#M91529 <P>Hey @plarsenDST, can you accept the Answer if it worked? You and Rich will both receive karma points that way! </P> Tue, 29 Aug 2017 19:37:28 GMT https://community.splunk.com/t5/Splunk-Search/Regex-for-Dell-Quest-TPAM-logs/m-p/304466#M91529 lfedak_splunk 2017-08-29T19:37:28Z