- Apps & Add-ons
- :
- All Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Re: Complex regex help
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I've tried a few tools to try and write the proper regex syntax to do what I want, but I'm not having any luck.
I have syslog output that comes from two different device types that comes out with different fields whether it's one device type or the other:
Oct 5 09:02:40 10.219.49.2 66772: bfr01.151front711 RP/0/RSP0/CPU0:Oct 5 09:02:40.861 : exec[65706]: %SECURITY-login-6-AUTHEN_SUCCESS : Successfully authenticated user 'rancid' from '10.219.51.130' on 'vty0'
Oct 5 08:12:29 10.219.49.31 146074: bpe01.77mowat506: Oct 5 08:12:28.623: %LINK-3-UPDOWN: Interface Virtual-Access45, changed state to down
The important fields are the hostname which appears in field 6 in both lines and as Cisco calls it "%message-group-severity-message-code" which appears in two different fields depending on the device.
Using the field extrator, I can generate a regex that captures the hostname:
"(?:[^:\n]*:){6}\s+(?P<FIELDNAME1>[^ ]+)"
But I can't figure out how to get field extractor to also capture the %message as a different field. Heck, I can't even get it to reliably match %message in the first place. It doesn't seem to understand when I enter copy and paste different values from two different fields and ask it to match against it.
I'd be grateful of for any assistance.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
^(?:\S*\s*){5}(?<hostname>\S*)[^%]*(?<message>%\S+)
It could be more precise (e.g., it could define where after the hostname the message occurs, instead of just finding the first %), but should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try:
^(?:\S*\s*){5}(?<hostname>\S*)[^%]*(?<message>%\S+)
It could be more precise (e.g., it could define where after the hostname the message occurs, instead of just finding the first %), but should work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Oliver,
You are partially right. I perhaps didn't make my question clear enough. I apologize. I'd like to match %message as well as hostname. I understand that the field extractor can extract multiple fields at once.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Again, my apologies. The hostname in the example would be either bfr01.151front711 or bpe01.77mowat506.
I tried your second regex, and that works much better, except for one small issue. It matches this as one field:
bfr01.151front711 RP/0/RSP0/CPU0
The one field should only be:
bfr01.151front711
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I'm not sure that I can recognize the hostnames from the log but I'm guessing you want to get "bfr01.151front711 RP/0/RSP0/CPU0" and "bpe01.77mowat506", but would this one be OK:
[^ ]+ [^ ]+ [^ ]+ [0-9]+: (?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
From your email I understand that you are trying to collect "%SECURITY-login-6-AUTHEN_SUCCESS" and "%LINK-3-UPDOWN". This is the correct, have you tried this regex:
: (?<FIELDNAME1>%[^:]+):
Hope this help.
Regards,
Olivier
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
