Splunk Search

How do I edit this regex for proper field extraction dealing with both single and double spaces?

donaldwayne1975
Path Finder

Having issues getting field extraction on Cisco ASA lines to work consistently without getting invalid information. Field extraction generates the following regex:

"^(?:[^ \n]* ){8}(?P<ASAMSGCODE>[^:]+)"  

The events that are skewed report the value as CDT. When the field extraction is performed on this set of events, the regex is:

"^(?:[^ \n]* ){9}(?P<ASAMSGCODE>[^:]+)"

It appears to be counting spaces. The example where {8} is has a single space between the Aug and the 10, where the {9} has a double space between the Aug and the 9. I have attempted several manipulations on the regex without success.

Example where {8}

Aug 10 11:07:10 #.#.#.# :Aug 10 11:07:10 CDT: %ASA-session-4-106023: Deny icmp src devicename:#.#.#.# dst inside:devicename (type 8, code 0) by access-group "aclname" [0x0, 0x0]

Example where {9}

Aug  9 23:59:58 #.#.#.# :Aug 09 23:59:59 CDT: %ASA-session-4-106023: Deny tcp src devicename dst outside:devicename by access-group "aclname" [0x0, 0x0]

alt text

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The automatic field extractor leaves something to be desired. Using your sample data and regex101.com, this seems to work.

(?P<ASAMSGCODE>%ASA[^:]+)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

somesoni2
Revered Legend

Based on your log sample, you want to extract value %ASA-session-4-106023 and it's always prefix by CDT:. If this is correct, just try this.

CDT:\s*(?P<ASAMSGCODE>[^:]+)

A sample runanywhere query with your sample data which used for testing.

| gentimes start=-1 | eval temp="Aug 10 11:07:10 #.#.#.# :Aug 10 11:07:10 CDT: %ASA-session-4-106023: Deny icmp src devicename:#.#.#.# dst inside:devicename (type 8, code 0) by access-group \"aclname\" [0x0, 0x0]$Aug  9 23:59:58 #.#.#.# :Aug 09 23:59:59 CDT: %ASA-session-4-106023: Deny tcp src devicename dst outside:devicename by access-group \"aclname\" [0x0, 0x0]" | table temp | makemv temp delim="$" | mvexpand temp | rename temp as _raw | rex "CDT:\s*(?P<ASAMSGCODE>[^:]+)"

richgalloway
SplunkTrust
SplunkTrust

The automatic field extractor leaves something to be desired. Using your sample data and regex101.com, this seems to work.

(?P<ASAMSGCODE>%ASA[^:]+)
---
If this reply helps you, Karma would be appreciated.

donaldwayne1975
Path Finder

Worked like a champ.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

What exactly are you trying to extract? Do you want whatever is where the # sign is in your example?

You could use a \s+? to capture either a single or double space.. Give me a line or two of exactly what you want extracted

0 Karma

donaldwayne1975
Path Finder

I am looking to extract the ASA message code values (ex. %ASA-session-4-106023) to generate table like the original attached image. The #'s were numbers that I sanitized from the log line.

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...