Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Regex Extraction for Field

pchintha
Engager
‎12-27-2021 07:49 PM

Hi,

From the below events i need to extract the field called "Event_Name" which is associated with "BeyondTrust_PBUL_ACCEPT_Event" from below 3 events

Desired output: Event_Name(filed name)=BeyondTrust_PBUL_ACCEPT_Event(field value)

Example Event 1:

<86>Dec 22 ddppvc0729 pbmerd2.1.0-12: BeyondTrust_PBUL_ACCEPT_Event: Time_Zone='IST'; Request_Date='2021/1/27'; Request_Time='2:2:51'; Request_End_Date='2021/1/27'; Request_End_Time='22:1:51';Submit_User='spnt'; Submit_Host='wcpl.com'; 

Example Event 2:

<83>Dec 22 ddpc0729 pbmerd21.1.0-12: [2658] 5105.1 failed to get ACK packet during a CMD_SWAPTTY_ONE_LINE sequence - read failure in receive acknowledgement

Example Event 3:

<38>Dec 22 ddppvc0729 root[25132]: [ID 7011 auth.info] CEF:0|BeyondTrust|PowerBroker|1.1.0-12|7011|PBEvent=Accept|4|act=Accept end=Dec 1 2021 1:11:40 shost=dc8 dvchost=dc8 suser=t8adsfk duser=root filePath=/opt/ cs1Label=Ticket cs1=Not_Applicable deviceExternalId=0a2adfersds9 fname=./SSB_Refresh_Pbrun_Local_Policy_Files.sh

 

What i tried from regex extraction:

Input: (?<Event_Name>\w{10}[a-zA-Z]+_[a-zA-Z]+_[a-zA-Z]+_[a-zA-Z]+)

Output: matching 2 places from above 3 events

pchintha_0-1640663261600.png

 

 

 

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎12-28-2021 08:32 AM

Please clarify which part of each event is the Event_Name, especially Example 2.

Are the sample events from the same sourcetype?  They look very different, which means they can have different field extractions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Advanced Splunk Data Management Strategies

Join us on Wednesday, May 14, 2025, at 11 AM PDT / 2 PM EDT for an exclusive Tech Talk that delves into ...

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Last month, I met with a Senior Fraud Analyst at a nationally recognized bank to discuss their recent success ...

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

What has been announced?  In the blog, “Preparing your Splunk Environment for OpensSSL3,”we announced the ...