- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
facing issue in field extraction for regex
pragycho
Loves-to-Learn
09-14-2019
02:59 AM
Hi All,
I wish to create a regex that should work with multiple log format
using 2 type log format.
1)
log format:
5 auth_mechanism: SSO_ISE auth group
[syslog_pass1]
regex =(?P<user_agent>\s+[(\S+)])(?P<cust_field>(?:\s+(?:\")?([^\"$]+))?)
FORMAT= user_agent::$1 cust_field::$2
2)
In second log format , one new field(proxy_id) is added in between user_agent ad cust_field.
Log Format:
5 3 auth_mechanism: SSO_ISE auth group
[syslog_pass2]
regex =(?P<user_agent>\s+[(\S+)])(?P<proxy_instance_id>\s+[(\S+)])(?P<cust_field>(?:\s+(?:\")?([^\"$]+))?)
FORMAT= user_agent::$1 proxy_id::$2 cust_field::$3
we wrote 2 regex for different log format.but field extration is not happening properly
if log is coming in this log format: 5 auth_mechanism: SSO_ISE but so i am getting field value for user_agent is 5 , proxy_id is a , cust_field is auth_mechanism: SSO_ISE.
how to correct the regex for getting correct value of field ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
maciep
Champion
09-14-2019
06:10 AM
Assuming that is the entire message and useragent/proxy id will be numbers, I'd probably write it like this, with just one regex.
^\s*(?<user_agent>\d+)\s*(?<proxy_id>\d*)\s*(?<cust_field>[^:]+)
Also, I believe if you specify the named capture group in your regex, then you don't need to specify the FORMAT....at least at search time.
