Splunk Dev

facing issue in field extraction for regex

pragycho
Loves-to-Learn
Hi All,
I wish to create a regex that should work with multiple log format
using  2 type log format.
1)
log format:
5 auth_mechanism: SSO_ISE auth group

[syslog_pass1]
regex =(?P<user_agent>\s+[(\S+)])(?P<cust_field>(?:\s+(?:\")?([^\"$]+))?)
FORMAT= user_agent::$1  cust_field::$2

2)
In second log format , one new field(proxy_id) is added in between user_agent ad cust_field.
Log Format:
 5 3 auth_mechanism: SSO_ISE auth group

[syslog_pass2]
regex =(?P<user_agent>\s+[(\S+)])(?P<proxy_instance_id>\s+[(\S+)])(?P<cust_field>(?:\s+(?:\")?([^\"$]+))?) 
FORMAT= user_agent::$1 proxy_id::$2 cust_field::$3

we wrote 2 regex for different log format.but field extration is not happening properly
if log is coming in  this log  format:  5 auth_mechanism: SSO_ISE  but so i am getting field value for user_agent is 5 , proxy_id is a , cust_field is auth_mechanism: SSO_ISE.
how to correct the regex for getting correct value of field ?
Tags (1)
0 Karma

maciep
Champion

Assuming that is the entire message and useragent/proxy id will be numbers, I'd probably write it like this, with just one regex.

^\s*(?<user_agent>\d+)\s*(?<proxy_id>\d*)\s*(?<cust_field>[^:]+)

Also, I believe if you specify the named capture group in your regex, then you don't need to specify the FORMAT....at least at search time.

0 Karma
Get Updates on the Splunk Community!

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

In today’s evolving threat landscape, we understand you’re constantly bombarded with phishing and malware ...

AppDynamics is now part of Splunk Ideas

Hello Splunkers, We have exciting news for you! AppDynamics has been added to the Splunk Ideas Portal. Which ...

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...