Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

facing issue in field extraction for regex

pragycho
Loves-to-Learn
‎09-14-2019 02:59 AM 
Hi All,
I wish to create a regex that should work with multiple log format
using  2 type log format.
1)
log format:
5 auth_mechanism: SSO_ISE auth group

[syslog_pass1]
regex =(?P<user_agent>\s+[(\S+)])(?P<cust_field>(?:\s+(?:\")?([^\"$]+))?)
FORMAT= user_agent::$1  cust_field::$2

2)
In second log format , one new field(proxy_id) is added in between user_agent ad cust_field.
Log Format:
 5 3 auth_mechanism: SSO_ISE auth group

[syslog_pass2]
regex =(?P<user_agent>\s+[(\S+)])(?P<proxy_instance_id>\s+[(\S+)])(?P<cust_field>(?:\s+(?:\")?([^\"$]+))?) 
FORMAT= user_agent::$1 proxy_id::$2 cust_field::$3

we wrote 2 regex for different log format.but field extration is not happening properly
if log is coming in  this log  format:  5 auth_mechanism: SSO_ISE  but so i am getting field value for user_agent is 5 , proxy_id is a , cust_field is auth_mechanism: SSO_ISE.
how to correct the regex for getting correct value of field ?
Tags (1)
0 Karma
Reply

maciep
Champion
‎09-14-2019 06:10 AM

Assuming that is the entire message and useragent/proxy id will be numbers, I'd probably write it like this, with just one regex.

^\s*(?<user_agent>\d+)\s*(?<proxy_id>\d*)\s*(?<cust_field>[^:]+)

Also, I believe if you specify the named capture group in your regex, then you don't need to specify the FORMAT....at least at search time.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...