I have a simple request 🙂 For a certain syslog source, I need to extract the 3rd word beginning from the end of a line. That's all. In a regular regex, the following works:
(\S*)[ ]\S*[ ]\S*$
And this matches correctly the SEVERE_ERROR and NORMAL_EVENT on the following lines:
Nov 25 13:55:04 x.x.x.x Nov 25 13:55:01 ProxySG: 310000 CFSSL:SSL_accept error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca(0) SEVERE_ERROR ../cf_ssl.cpp 1573 Nov 25 13:47:49 x.x.x.x Nov 25 13:47:47 ProxySG: 90000 NTP: Periodic query of server x.x.x.x, time within acceptable variance, 0 seconds, 8 ms fast compared to NTP time.(0) NORMAL_EVENT ../ntp.cpp 683
However, how do I translate this into Splunk? When I try the Interactive Field Extractor, it always wants to start from the beginning of a line and I can't seem to get the correct Splunked regex for this field 😞
Any help is greatly appreciated 😉
You can add the regex-extraction to the props.conf file. Eg.
$SPLUNK_HOME/etc/system/local/props.conf or in the app you want that extraction
[syslog] EXTRACT-some-fields = ProxySG.+\s+(?<severity>\w+) (?<source_file>\S+) (?<line_no>\d+)$
severity, source_file and line_no are the example field names. Splunk uses PCRE named groups to define the fieldname for extractions.
I appreciate your help very much ;), but this does not seem to work...
While sourcefile and lineno are correctly extracted, I get "T" & "R" as severity in my log files. These correspond to the last letter of NORMALEVENT and SEVEREERROR respectively...