facing issue in field extraction for regex

pragycho · ‎09-14-2019

Hi All,
I wish to create a regex that should work with multiple log format
using  2 type log format.
1)
log format:
5 auth_mechanism: SSO_ISE auth group

[syslog_pass1]
regex =(?P<user_agent>\s+[(\S+)])(?P<cust_field>(?:\s+(?:\")?([^\"$]+))?)
FORMAT= user_agent::$1  cust_field::$2

2)
In second log format , one new field(proxy_id) is added in between user_agent ad cust_field.
Log Format:
 5 3 auth_mechanism: SSO_ISE auth group

[syslog_pass2]
regex =(?P<user_agent>\s+[(\S+)])(?P<proxy_instance_id>\s+[(\S+)])(?P<cust_field>(?:\s+(?:\")?([^\"$]+))?) 
FORMAT= user_agent::$1 proxy_id::$2 cust_field::$3

we wrote 2 regex for different log format.but field extration is not happening properly
if log is coming in  this log  format:  5 auth_mechanism: SSO_ISE  but so i am getting field value for user_agent is 5 , proxy_id is a , cust_field is auth_mechanism: SSO_ISE.
how to correct the regex for getting correct value of field ?

maciep · ‎09-14-2019

Assuming that is the entire message and useragent/proxy id will be numbers, I'd probably write it like this, with just one regex.

^\s*(?<user_agent>\d+)\s*(?<proxy_id>\d*)\s*(?<cust_field>[^:]+)

Also, I believe if you specify the named capture group in your regex, then you don't need to specify the FORMAT....at least at search time.

facing issue in field extraction for regex

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation

facing issue in field extraction for regex

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...