facing issue in field extraction for regex

pragycho · ‎09-14-2019

Hi All,
I wish to create a regex that should work with multiple log format
using  2 type log format.
1)
log format:
5 auth_mechanism: SSO_ISE auth group

[syslog_pass1]
regex =(?P<user_agent>\s+[(\S+)])(?P<cust_field>(?:\s+(?:\")?([^\"$]+))?)
FORMAT= user_agent::$1  cust_field::$2

2)
In second log format , one new field(proxy_id) is added in between user_agent ad cust_field.
Log Format:
 5 3 auth_mechanism: SSO_ISE auth group

[syslog_pass2]
regex =(?P<user_agent>\s+[(\S+)])(?P<proxy_instance_id>\s+[(\S+)])(?P<cust_field>(?:\s+(?:\")?([^\"$]+))?) 
FORMAT= user_agent::$1 proxy_id::$2 cust_field::$3

we wrote 2 regex for different log format.but field extration is not happening properly
if log is coming in  this log  format:  5 auth_mechanism: SSO_ISE  but so i am getting field value for user_agent is 5 , proxy_id is a , cust_field is auth_mechanism: SSO_ISE.
how to correct the regex for getting correct value of field ?

maciep · ‎09-14-2019

Assuming that is the entire message and useragent/proxy id will be numbers, I'd probably write it like this, with just one regex.

^\s*(?<user_agent>\d+)\s*(?<proxy_id>\d*)\s*(?<cust_field>[^:]+)

Also, I believe if you specify the named capture group in your regex, then you don't need to specify the FORMAT....at least at search time.

facing issue in field extraction for regex

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

facing issue in field extraction for regex

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk