Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do you extract multiple substrings from th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm new to splunk.
I have a log event in the following format. The report should capture the Hostname, Agentname and Resource. Also, I'd like to remove the duplicate entries.
[Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource]
[TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name]
and log entry example is below
AuthAccept Hostname [03/Dec/2018:17:43:06 -0600] "ClientIP UserDN" "Agentname GET /WMT_Logon/Account/LogOn?ViewFlag=false" [idletime=1800;maxtime=603603054;authlevel=5;] [0] [] []
CN = FirstName LastName host = HostName source = c:\Program Files (x86)\ca\siteminder\log\smaccess-dotoksm03pv.log sourcetype = smaccess
I want hostname, Agentname, Resource and Resource in above example is /WMT_Logon/Account/LogOn?ViewFlag=false. But could be different for every event.
I appreciate any help writing this search string. Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
index=* host=* sourcetype = smaccess | rex field=_raw "\w+\s+(?P[^\s]+)([^\]]+)\]\s\"(?P[^\"]+)\"\s\"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^\"]+)\""
| table Hostname, Agentname Resource | dedup Hostname, Agentname Resource
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this
index=* host=* sourcetype = smaccess | rex field=_raw "\w+\s+(?P[^\s]+)([^\]]+)\]\s\"(?P[^\"]+)\"\s\"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^\"]+)\""
| table Hostname, Agentname Resource | dedup Hostname, Agentname Resource
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I figure out the error, Instead of P , you need to put actual field name. here is final syntax. Thanks for your help
(?[^\s]+)([^]]+)]\s\"(?[^\"]+)\"\s\"(?[^\s]+)\s(?[^\s]+)\s(?[^\"]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
this site is hiding some characters, that is why you are not able to see the whole regex (fieldnames),
look at this https://www.regular-expressions.info/refext.html , you can see named capturing groups (3 ways)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks nagarjuna280 for your answer but I got the following error
Regex: unrecognized character after (?P and error entry in the log file is
12-04-2018 21:43:51.453 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'rex' command: Encountered the following error while compiling the regex '\w+\s+(?P[^\s]+)([^]]+)]\s"(?P[^"]+)"\s"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^"]+)"': Regex: unrecognized character after (?P
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Agent Mode Engaged! Enchaining Agentic Operations with Splunk AI Assistant 2.0
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
