Hello,

I'm trying to analyze WatchGuard firewall logs received by Splunk using syslog on udp 514 port.

I was able to find a well working regex to use in a search using the following rex command in order to extract needed fields :

*
| rex field=_raw ".*\s(?<HOSTNAME>\S+)\s(?<PROCESS>\S+):\s.*\s(?<DISPOSITION>(Allow|Deny))\s(?<SRC_INT>\S+)\s(?<DST_INT>\S+)\s.*(?<PR>(icmp|igmp|tcp|udp)).*\s(?<SRC_IP>[[octet]](?:\.[[octet]]){3})\s(?<DST_IP>[[octet]](?:\.[[octet]]){3})\s(?<SRC_PORT>\d{1,5})\s(?<DST_PORT>\d{1,5})\s.*\((?P<RULE_NAME>.*)?(-00)\)$"
| table HOSTNAME,PROCESS,DISPOSITION,SRC_INT,DST_INT,PR,SRC_IP,DST_IP,SRC_PORT,DST_PORT,RULE_NAME

Result is a table as we can see in attachment.

Now, in order to optimize all of that, i would like to be able to extract all these fields automatically without having the need to use a rex command in each search i run...

i tryed using the Splunk Field extraction wizard, both using the automatic regex generator and by copy paste my search regex, but no success...

i suppose i missed something somewhere ?

thanks for your help

Florent