Re: Field Extraction via Regex

raimondo_massar · ‎01-15-2013

Hi
I would like to list below logline in 4 parts and I'm not sure how to do it in with Regex. The automatic field extractor does not work. Any suggestion on how to write the right regex.

Field1  Field2              Field3                                 Field4
[AUDIT] [USER_AUTH_SUCCESS] Authentication successfully completed. User: 'Test'

This is an extract out of the field extractor which is not working:

?:[^[n][){3}(?P<fieldname1>[^]]+)[^ n] [(?P<fieldname2>[^]]+)](?P<fieldname3>s+w+s+w+s+w+.)^(?P<fieldname4>s+w+:)

jonuwz · ‎01-15-2013

In that case feel free to accept the answer below. Thanks

raimondo_massar · ‎01-15-2013

Perfect ..it works. thanks very much for your help !

jonuwz · ‎01-15-2013

Here you go :

* | head 1 
| eval message="[AUDIT] [USER_AUTH_SUCCESS] Authentication successfully completed. User: 'Test'"
| table message 
| rex field=message "\[(?<field1>[^]]+)\] \[(?<field2>[^]]+)\] (?<field3>.*)\s+User: '(?<field4>.*?)'"

Everything between the two " on the last line is the regex you need to extract the fields

i.e.

\[(?<field1>[^]]+)\] \[(?<field2>[^]]+)\] (?<field3>.*)\s+User: '(?<field4>.*?)'

raimondo_massar · ‎01-15-2013

it's always information about the user

jonuwz · ‎01-15-2013

Where does Field4 start ? is it

after a '.'

or

it it always information about the user ?

Field Extraction via Regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep Dive: Accelerate threat investigation with Splunk’s AI Assistant in Security

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Join the Conversation