Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to custom field extract for the field "ending ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
e400425
New Member
04-09-2018
07:26 AM
My sample log (Modified to remove confidential data) looks like following.
Apr 9 13:54:13 10.195.247.77 04/09/2018:07:38:18 GMT CitrixNetscalerDevice1 0-PPE-1 : default SSLVPN ICASTART 8054764 0 : Source 192.168.247.221:11905 - Destination 10.196.164.81:1494 - username:domainname User1:Region1 - applicationName BusinessApp WorkSpace $S2-2 - startTime "04/09/2018:07:38:18 GMT" - connectionId 848984
Apr 9 13:54:12 10.195.247.77 04/09/2018:07:38:17 GMT CitrixNetscalerDevice1 0-PPE-3 : default SSLVPN ICASTART 8060292 0 : Source 192.168.213.191:10528 - Destination 172.26.22.255:1494 - username:domainname User2:Region1 - applicationName BusienssVDI-2_0-W-P-006-T2 $S10-10 - startTime "04/09/2018:07:38:17 GMT" - connectionId 911007
Apr 9 13:54:05 169.76.248.92 04/09/2018:07:57:59 GMT CitrixNetscalerDevice2 0-PPE-1 : default SSLVPN ICASTART 5981923 0 : Source 192.168.235.25:10583 - Destination 10.117.16.219:1494 - username:domainname User3:Region3 - applicationName BusinessApp WorkSpace $S2-2 - startTime "04/09/2018:07:57:59 GMT" - connectionId 9e590d
Apr 9 13:54:05 169.76.248.92 04/09/2018:07:57:59 GMT CitrixNetscalerDevice2 0-PPE-1 : default SSLVPN ICASTART 5981922 0 : Source 192.168.206.28:10420 - Destination 172.28.79.20:1494 - username:domainname User4:Region2 - applicationName BusienssVDI-2_0-W-P-001-T1 $S1-1 - startTime "04/09/2018:07:57:59 GMT" - connectionId 9e590c
Apr 9 13:54:03 169.76.248.92 04/09/2018:07:57:58 GMT CitrixNetscalerDevice2 0-PPE-2 : default SSLVPN ICASTART 5482686 0 : Source 192.168.221.39:10693 - Destination 169.77.183.175:1494 - username:domainname User5:Region3 - applicationName Remote Desktop Connection - startTime "04/09/2018:07:57:57 GMT" - connectionId 9a7052
Apr 9 13:54:02 10.117.59.155 04/09/2018:13:54:02 GMT CitrixNetscalerDevice3 0-PPE-3 : default SSLVPN ICASTART 4865811 0 : Source 192.168.224.220:11758 - Destination 169.76.140.48:1494 - username:domainname User6:Region3 - applicationName MyFULLSCREEN - startTime "04/09/2018:13:54:02 GMT" - connectionId a524a0
Apr 9 13:54:01 10.195.247.100 04/09/2018:13:54:01 GMT CitrixNetscalerDevice4 0-PPE-2 : default SSLVPN ICASTART 7084575 0 : Source 192.168.244.50:11904 - Destination 10.196.196.217:1494 - username:domainname User7:Region1 - applicationName BusienssVDI-2_0-W-P-001-T1 $S2-1 - startTime "04/09/2018:13:54:01 GMT" - connectionId 82a028
My Splunk Query to retrieve important fields search time is as per following.
index=MyIndex ICAEND NOT ANONYMOUS
| rex field=_raw "GMT (?P<CAGName>[^\s]+)"
| eval CAGName=upper(CAGName)
| rex field=_raw "username:domainname (?P<CAGUserName>\w+)"
| eval CAGUserName=upper(CAGUserName)
| rex field=_raw "\s\"(?<StartTime>\d+\/\d+\/\d+\:\d+:\d+:\d+\sGMT)"
| rex field=_raw "Source\s(?<Source>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| rex field=_raw "Destination\s(?<Destination>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| table StartTime,CAGUserName,CAGName,Source,Destination
I want to do custom field extract for ApplicationName i.e. everything in between word "applicationName\s" and "-\sstartTime".
So,
| rex field=_raw "applicationName\s(?<ApplicationName>HelpMeWriteSomethingHereToDoCustomFieldExtact)"
Can someone help me complete following?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-09-2018
09:25 AM
Try like this
...| rex field=_raw "applicationName\s(?<ApplicationName>.+)\s-\sstartTime"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-09-2018
09:25 AM
Try like this
...| rex field=_raw "applicationName\s(?<ApplicationName>.+)\s-\sstartTime"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
04-09-2018
09:32 AM
If the position of the values you want to extract doesn't change, you can combine multiple field extraction into one like this:
index=MyIndex ICAEND NOT ANONYMOUS
| rex "^(\S+\s+){6}(?P<CAGName>\S+).+\sSource\s+(?<Source>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+-\s+Destination\s+(?<Destination>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})\s+-\s+username:domainname\s+(?P<CAGUserName>\S+)\s+-\s+applicationName\s(?<ApplicationName>.+)\s+-\s+startTime\s+\"(?<StartTime>[^\"]+)\"\s+-\s+connectionId\s+(?<ConnectionId>\S+)"
Get Updates on the Splunk Community!
.conf24 | Registration Open!
Hello, hello! I come bearing good news: Registration for .conf24 is now open!
conf is Splunk’s rad annual ...
ICYMI - Check out the latest releases of Splunk Edge Processor
Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.
HEC Receiver authorization ...
Introducing the 2024 SplunkTrust!
Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!
The ...
