I'm new to splunk.
I have a log event in the following format. The report should capture the Hostname, Agentname and Resource. Also, I'd like to remove the duplicate entries.
[Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource]
[TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name]
and log entry example is below
AuthAccept Hostname [03/Dec/2018:17:43:06 -0600] "ClientIP UserDN" "Agentname GET /WMT_Logon/Account/LogOn?ViewFlag=false" [idletime=1800;maxtime=603603054;authlevel=5;] [0] [] []
CN = FirstName LastName host = HostName source = c:\Program Files (x86)\ca\siteminder\log\smaccess-dotoksm03pv.log sourcetype = smaccess
I want hostname, Agentname, Resource and Resource in above example is /WMT_Logon/Account/LogOn?ViewFlag=false. But could be different for every event.
I appreciate any help writing this search string. Thanks
try this
index=* host=* sourcetype = smaccess | rex field=_raw "\w+\s+(?P[^\s]+)([^\]]+)\]\s\"(?P[^\"]+)\"\s\"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^\"]+)\""
| table Hostname, Agentname Resource | dedup Hostname, Agentname Resource
try this
index=* host=* sourcetype = smaccess | rex field=_raw "\w+\s+(?P[^\s]+)([^\]]+)\]\s\"(?P[^\"]+)\"\s\"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^\"]+)\""
| table Hostname, Agentname Resource | dedup Hostname, Agentname Resource
I figure out the error, Instead of P , you need to put actual field name. here is final syntax. Thanks for your help
(?[^\s]+)([^]]+)]\s\"(?[^\"]+)\"\s\"(?[^\s]+)\s(?[^\s]+)\s(?[^\"]+)
this site is hiding some characters, that is why you are not able to see the whole regex (fieldnames),
look at this https://www.regular-expressions.info/refext.html , you can see named capturing groups (3 ways)
Thanks nagarjuna280 for your answer but I got the following error
Regex: unrecognized character after (?P and error entry in the log file is
12-04-2018 21:43:51.453 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'rex' command: Encountered the following error while compiling the regex '\w+\s+(?P[^\s]+)([^]]+)]\s"(?P[^"]+)"\s"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^"]+)"': Regex: unrecognized character after (?P