Hello,

I have a simple request 🙂 For a certain syslog source, I need to extract the 3rd word beginning from the end of a line. That's all. In a regular regex, the following works:

(\S*)[ ]\S*[ ]\S*$

And this matches correctly the SEVERE_ERROR and NORMAL_EVENT on the following lines:

Nov 25 13:55:04 x.x.x.x Nov 25 13:55:01 ProxySG: 310000 CFSSL:SSL_accept error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca(0) SEVERE_ERROR ../cf_ssl.cpp 1573
Nov 25 13:47:49 x.x.x.x Nov 25 13:47:47 ProxySG: 90000 NTP: Periodic query of server x.x.x.x, time within acceptable variance, 0 seconds, 8 ms fast compared to NTP time.(0) NORMAL_EVENT ../ntp.cpp 683

However, how do I translate this into Splunk? When I try the Interactive Field Extractor, it always wants to start from the beginning of a line and I can't seem to get the correct Splunked regex for this field 😞

Any help is greatly appreciated 😉