- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you extract multiple substrings from th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm new to splunk.
I have a log event in the following format. The report should capture the Hostname, Agentname and Resource. Also, I'd like to remove the duplicate entries.
[Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource]
[TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name]
and log entry example is below
AuthAccept Hostname [03/Dec/2018:17:43:06 -0600] "ClientIP UserDN" "Agentname GET /WMT_Logon/Account/LogOn?ViewFlag=false" [idletime=1800;maxtime=603603054;authlevel=5;] [0] [] []
CN = FirstName LastName host = HostName source = c:\Program Files (x86)\ca\siteminder\log\smaccess-dotoksm03pv.log sourcetype = smaccess
I want hostname, Agentname, Resource and Resource in above example is /WMT_Logon/Account/LogOn?ViewFlag=false. But could be different for every event.
I appreciate any help writing this search string. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
index=* host=* sourcetype = smaccess | rex field=_raw "\w+\s+(?P[^\s]+)([^\]]+)\]\s\"(?P[^\"]+)\"\s\"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^\"]+)\""
| table Hostname, Agentname Resource | dedup Hostname, Agentname Resource
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
index=* host=* sourcetype = smaccess | rex field=_raw "\w+\s+(?P[^\s]+)([^\]]+)\]\s\"(?P[^\"]+)\"\s\"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^\"]+)\""
| table Hostname, Agentname Resource | dedup Hostname, Agentname Resource
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figure out the error, Instead of P , you need to put actual field name. here is final syntax. Thanks for your help
(?[^\s]+)([^]]+)]\s\"(?[^\"]+)\"\s\"(?[^\s]+)\s(?[^\s]+)\s(?[^\"]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this site is hiding some characters, that is why you are not able to see the whole regex (fieldnames),
look at this https://www.regular-expressions.info/refext.html , you can see named capturing groups (3 ways)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks nagarjuna280 for your answer but I got the following error
Regex: unrecognized character after (?P and error entry in the log file is
12-04-2018 21:43:51.453 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'rex' command: Encountered the following error while compiling the regex '\w+\s+(?P[^\s]+)([^]]+)]\s"(?P[^"]+)"\s"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^"]+)"': Regex: unrecognized character after (?P
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
