Splunk Search

How do I edit this regex for proper field extraction dealing with both single and double spaces?

donaldwayne1975
Path Finder

Having issues getting field extraction on Cisco ASA lines to work consistently without getting invalid information. Field extraction generates the following regex:

"^(?:[^ \n]* ){8}(?P<ASAMSGCODE>[^:]+)"  

The events that are skewed report the value as CDT. When the field extraction is performed on this set of events, the regex is:

"^(?:[^ \n]* ){9}(?P<ASAMSGCODE>[^:]+)"

It appears to be counting spaces. The example where {8} is has a single space between the Aug and the 10, where the {9} has a double space between the Aug and the 9. I have attempted several manipulations on the regex without success.

Example where {8}

Aug 10 11:07:10 #.#.#.# :Aug 10 11:07:10 CDT: %ASA-session-4-106023: Deny icmp src devicename:#.#.#.# dst inside:devicename (type 8, code 0) by access-group "aclname" [0x0, 0x0]

Example where {9}

Aug  9 23:59:58 #.#.#.# :Aug 09 23:59:59 CDT: %ASA-session-4-106023: Deny tcp src devicename dst outside:devicename by access-group "aclname" [0x0, 0x0]

alt text

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The automatic field extractor leaves something to be desired. Using your sample data and regex101.com, this seems to work.

(?P<ASAMSGCODE>%ASA[^:]+)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

somesoni2
Revered Legend

Based on your log sample, you want to extract value %ASA-session-4-106023 and it's always prefix by CDT:. If this is correct, just try this.

CDT:\s*(?P<ASAMSGCODE>[^:]+)

A sample runanywhere query with your sample data which used for testing.

| gentimes start=-1 | eval temp="Aug 10 11:07:10 #.#.#.# :Aug 10 11:07:10 CDT: %ASA-session-4-106023: Deny icmp src devicename:#.#.#.# dst inside:devicename (type 8, code 0) by access-group \"aclname\" [0x0, 0x0]$Aug  9 23:59:58 #.#.#.# :Aug 09 23:59:59 CDT: %ASA-session-4-106023: Deny tcp src devicename dst outside:devicename by access-group \"aclname\" [0x0, 0x0]" | table temp | makemv temp delim="$" | mvexpand temp | rename temp as _raw | rex "CDT:\s*(?P<ASAMSGCODE>[^:]+)"

richgalloway
SplunkTrust
SplunkTrust

The automatic field extractor leaves something to be desired. Using your sample data and regex101.com, this seems to work.

(?P<ASAMSGCODE>%ASA[^:]+)
---
If this reply helps you, Karma would be appreciated.

donaldwayne1975
Path Finder

Worked like a champ.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

What exactly are you trying to extract? Do you want whatever is where the # sign is in your example?

You could use a \s+? to capture either a single or double space.. Give me a line or two of exactly what you want extracted

0 Karma

donaldwayne1975
Path Finder

I am looking to extract the ASA message code values (ex. %ASA-session-4-106023) to generate table like the original attached image. The #'s were numbers that I sanitized from the log line.

0 Karma
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...