Hi all,

I'm having difficulty crafting regex that will extract a field that can have either 1 or multiple words.

Using the "add field" in Splunk Enterprise doesn't seem to be able to get the job done either.  The field I would like to extract is for the "Country" which can be 1 word or multiple words. Any help would be appreciated.

Below is my regex and a sample of the logs from which I am trying to extract fields. I don't consider myself to be a regex guru so don't laugh at my field extraction regex. It works on everything except The country.

User\snamed\s(\w+\s\w+)\sfrom\s(\w+)\sdepartment\saccessed\sthe\sresource\s(\w+\.\w{3})(\/\w+\.*\/*\w+\.*\w{0,4})\sfrom\sthe\ssource\sIP\s(\d+\.\d+\.\d+\.\d+)\sand\scountry\s\W(\w+\s*)

11/17/23

2:25:22.000 PM

[Network-log]: User named Linda White from IT department accessed the resource Cybertees.THM/signup.html from the source IP 10.0.0.2 and country

France at: Fri Nov 17 14:25:22 2023

host = *****

source = networks

sourcetype = network_logs

[Network-log]: User named Robert Wilson from HR department accessed the resource Cybertees.THM/signup.html from the source IP 10.0.0.1 and country

United States at: Fri Nov 17 14:25:11 2023

host = *****

source = networks

sourcetype = network_logs

11/17/23

2:25:21.000 PM

[Network-log]: User named Christopher Turner from HR department accessed the resource Cybertees.THM/products/product2.html from the source IP 192.168.0.100 and country

Germany at: Fri Nov 17 14:25:17 2023

host = *****

source = networks

sourcetype = network_logs