Splunk Search

How to custom field extract for the field "ending with"?

e400425
New Member

My sample log (Modified to remove confidential data) looks like following.

Apr  9 13:54:13 10.195.247.77 04/09/2018:07:38:18 GMT CitrixNetscalerDevice1 0-PPE-1 : default SSLVPN ICASTART 8054764 0 :  Source 192.168.247.221:11905 - Destination 10.196.164.81:1494 - username:domainname User1:Region1 - applicationName BusinessApp WorkSpace $S2-2 - startTime "04/09/2018:07:38:18 GMT" - connectionId 848984
Apr  9 13:54:12 10.195.247.77 04/09/2018:07:38:17 GMT CitrixNetscalerDevice1 0-PPE-3 : default SSLVPN ICASTART 8060292 0 :  Source 192.168.213.191:10528 - Destination 172.26.22.255:1494 - username:domainname User2:Region1 - applicationName BusienssVDI-2_0-W-P-006-T2 $S10-10 - startTime "04/09/2018:07:38:17 GMT" - connectionId 911007
Apr  9 13:54:05 169.76.248.92 04/09/2018:07:57:59 GMT CitrixNetscalerDevice2 0-PPE-1 : default SSLVPN ICASTART 5981923 0 :  Source 192.168.235.25:10583 - Destination 10.117.16.219:1494 - username:domainname User3:Region3 - applicationName BusinessApp WorkSpace $S2-2 - startTime "04/09/2018:07:57:59 GMT" - connectionId 9e590d
Apr  9 13:54:05 169.76.248.92 04/09/2018:07:57:59 GMT CitrixNetscalerDevice2 0-PPE-1 : default SSLVPN ICASTART 5981922 0 :  Source 192.168.206.28:10420 - Destination 172.28.79.20:1494 - username:domainname User4:Region2 - applicationName BusienssVDI-2_0-W-P-001-T1 $S1-1 - startTime "04/09/2018:07:57:59 GMT" - connectionId 9e590c
Apr  9 13:54:03 169.76.248.92 04/09/2018:07:57:58 GMT CitrixNetscalerDevice2 0-PPE-2 : default SSLVPN ICASTART 5482686 0 :  Source 192.168.221.39:10693 - Destination 169.77.183.175:1494 - username:domainname User5:Region3 - applicationName Remote Desktop Connection - startTime "04/09/2018:07:57:57 GMT" - connectionId 9a7052
Apr  9 13:54:02 10.117.59.155 04/09/2018:13:54:02 GMT CitrixNetscalerDevice3 0-PPE-3 : default SSLVPN ICASTART 4865811 0 :  Source 192.168.224.220:11758 - Destination 169.76.140.48:1494 - username:domainname User6:Region3 - applicationName MyFULLSCREEN - startTime "04/09/2018:13:54:02 GMT" - connectionId a524a0
Apr  9 13:54:01 10.195.247.100 04/09/2018:13:54:01 GMT CitrixNetscalerDevice4 0-PPE-2 : default SSLVPN ICASTART 7084575 0 :  Source 192.168.244.50:11904 - Destination 10.196.196.217:1494 - username:domainname User7:Region1 - applicationName BusienssVDI-2_0-W-P-001-T1 $S2-1 - startTime "04/09/2018:13:54:01 GMT" - connectionId 82a028

My Splunk Query to retrieve important fields search time is as per following.

index=MyIndex ICAEND NOT ANONYMOUS
| rex field=_raw "GMT (?P<CAGName>[^\s]+)" 
| eval CAGName=upper(CAGName) 
| rex field=_raw "username:domainname (?P<CAGUserName>\w+)"
| eval CAGUserName=upper(CAGUserName)
| rex field=_raw "\s\"(?<StartTime>\d+\/\d+\/\d+\:\d+:\d+:\d+\sGMT)"
| rex field=_raw "Source\s(?<Source>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| rex field=_raw "Destination\s(?<Destination>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| table StartTime,CAGUserName,CAGName,Source,Destination

I want to do custom field extract for ApplicationName i.e. everything in between word "applicationName\s" and "-\sstartTime".
So,

    | rex field=_raw "applicationName\s(?<ApplicationName>HelpMeWriteSomethingHereToDoCustomFieldExtact)"

Can someone help me complete following?

0 Karma
1 Solution

somesoni2
Revered Legend

Try like this

...| rex field=_raw "applicationName\s(?<ApplicationName>.+)\s-\sstartTime"

View solution in original post

0 Karma

somesoni2
Revered Legend

Try like this

...| rex field=_raw "applicationName\s(?<ApplicationName>.+)\s-\sstartTime"

View solution in original post

0 Karma

somesoni2
Revered Legend

If the position of the values you want to extract doesn't change, you can combine multiple field extraction into one like this:

index=MyIndex ICAEND NOT ANONYMOUS
| rex "^(\S+\s+){6}(?P<CAGName>\S+).+\sSource\s+(?<Source>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+-\s+Destination\s+(?<Destination>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+-\s+username:domainname\s+(?P<CAGUserName>\S+)\s+-\s+applicationName\s(?<ApplicationName>.+)\s+-\s+startTime\s+\"(?<StartTime>[^\"]+)\"\s+-\s+connectionId\s+(?<ConnectionId>\S+)"
0 Karma
Did you miss .conf21 Virtual?

Good news! The event's keynotes and many of its breakout sessions are now available online, and still totally FREE!