Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I edit this regex for proper field extraction dealing with both single and double spaces?

donaldwayne1975
Path Finder
‎08-10-2015 12:46 PM

Having issues getting field extraction on Cisco ASA lines to work consistently without getting invalid information. Field extraction generates the following regex: 

"^(?:[^ \n]* ){8}(?P<ASAMSGCODE>[^:]+)"

The events that are skewed report the value as CDT. When the field extraction is performed on this set of events, the regex is: 

"^(?:[^ \n]* ){9}(?P<ASAMSGCODE>[^:]+)"

It appears to be counting spaces. The example where {8} is has a single space between the Aug and the 10, where the {9} has a double space between the Aug and the 9. I have attempted several manipulations on the regex without success.

Example where {8}

Aug 10 11:07:10 #.#.#.# :Aug 10 11:07:10 CDT: %ASA-session-4-106023: Deny icmp src devicename:#.#.#.# dst inside:devicename (type 8, code 0) by access-group "aclname" [0x0, 0x0]

Example where {9}

Aug  9 23:59:58 #.#.#.# :Aug 09 23:59:59 CDT: %ASA-session-4-106023: Deny tcp src devicename dst outside:devicename by access-group "aclname" [0x0, 0x0]

alt text

Preview file
190 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-10-2015 01:07 PM

The automatic field extractor leaves something to be desired. Using your sample data and regex101.com, this seems to work.

(?P<ASAMSGCODE>%ASA[^:]+)
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-10-2015 01:56 PM

Based on your log sample, you want to extract value %ASA-session-4-106023 and it's always prefix by CDT:. If this is correct, just try this.

CDT:\s*(?P<ASAMSGCODE>[^:]+)

A sample runanywhere query with your sample data which used for testing.

| gentimes start=-1 | eval temp="Aug 10 11:07:10 #.#.#.# :Aug 10 11:07:10 CDT: %ASA-session-4-106023: Deny icmp src devicename:#.#.#.# dst inside:devicename (type 8, code 0) by access-group \"aclname\" [0x0, 0x0]$Aug  9 23:59:58 #.#.#.# :Aug 09 23:59:59 CDT: %ASA-session-4-106023: Deny tcp src devicename dst outside:devicename by access-group \"aclname\" [0x0, 0x0]" | table temp | makemv temp delim="$" | mvexpand temp | rename temp as _raw | rex "CDT:\s*(?P<ASAMSGCODE>[^:]+)"
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-10-2015 01:07 PM

The automatic field extractor leaves something to be desired. Using your sample data and regex101.com, this seems to work.

(?P<ASAMSGCODE>%ASA[^:]+)
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

donaldwayne1975
Path Finder
‎08-11-2015 06:58 AM

Worked like a champ.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎08-10-2015 01:00 PM

What exactly are you trying to extract? Do you want whatever is where the # sign is in your example?

You could use a \s+? to capture either a single or double space.. Give me a line or two of exactly what you want extracted

0 Karma
Reply
Solved! Jump to solution

donaldwayne1975
Path Finder
‎08-11-2015 07:09 AM

I am looking to extract the ASA message code values (ex. %ASA-session-4-106023) to generate table like the original attached image. The #'s were numbers that I sanitized from the log line.

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...