<54>Nov 30 15:02:42 SymantecServer SR-SAAP-SEP01: Scan ID: 1448882755,Begin: 2015-11-30 11:47:09,End: 2015-11-30 11:58:44,Completed,Duration (seconds): 695,User1: SYSTEM,User2: SYSTEM,'Scan started on selected drives and folders and all extensions.','Scan Complete: Risks: 0 Scanned: 1472 Files/Folders/Drives Omitted: 0 Trusted Files Skipped: 1465',Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 1472,Omitted: 0,Computer: IBV-HQ-L12,IP Address: 172.18.10.34,Domain: Default,"Group: My Company\Workstations\Information Technology\",Server: SR-SAAP-SEP01
<54>Nov 30 15:00:42 SymantecServer SR-SAAP-SEP01: Scan ID: 1448884513,Begin: 2015-11-30 11:55:45,End: ,Started,Duration (seconds): 0,User1: z.Zomoniem,User2: ,'Scan started on selected drives and folders and all extensions.',,Command: Not a command scan (),Threats: 0,Infected: 0,Total files: 0,Omitted: 0,Computer: MLK-HQ-324,IP Address: 172.18.3.65,Domain: Default,Group: My Company\Workstations,Server: SR-SAAP-SEP01
am trying to create different types of reports that showing the the threat that I may face from viruses and not up to date machines, but the issue is that the event locks mess rather than that am not familiar with rex and regex commands and syntax.
Have you tried adding | extract pairdelim="," kvdelim=":"
to your search? You should also consider adding kv rex to your conf fileds
If those two are not an option and you must use rex, this should work
.*SymantecServer\s(?<server_name>[^:]+):[^:]+:\s(?<scan_id>\d+),[^\d]+(?<begin>[^,]+),[^\s]+\s(?<end>[^,]+)?,(?<status>\w+),[^:]+:\s(?<duration>\d+),[^\s]+\s(?<user1>[^,]+),[^:]+:\s(?<user2>[^,]+)?(.*)Command:\s(?<command>[^,]+).*Total files:\s(?<total_files>\d+),[^:]+:\s(?<omitted>\d+),[^:]+:\s(?<computer>[^,]+),[^:]+:\s(?<ip>[^,]+).*Server:\s(?<server>.*)
This will extract the fields that are in bold in your question
Have you tried adding | extract pairdelim="," kvdelim=":"
to your search? You should also consider adding kv rex to your conf fileds
If those two are not an option and you must use rex, this should work
.*SymantecServer\s(?<server_name>[^:]+):[^:]+:\s(?<scan_id>\d+),[^\d]+(?<begin>[^,]+),[^\s]+\s(?<end>[^,]+)?,(?<status>\w+),[^:]+:\s(?<duration>\d+),[^\s]+\s(?<user1>[^,]+),[^:]+:\s(?<user2>[^,]+)?(.*)Command:\s(?<command>[^,]+).*Total files:\s(?<total_files>\d+),[^:]+:\s(?<omitted>\d+),[^:]+:\s(?<computer>[^,]+),[^:]+:\s(?<ip>[^,]+).*Server:\s(?<server>.*)
This will extract the fields that are in bold in your question
Thanks @sundareshr, its working now as per your recommended solution,
where are you facing issues when doing the extractions?? are you using the field extractor or building the extractions yourself?