Splunk Search

How to edit my regex for props and transforms.conf to extract all values for two fields?

splunk_kk
Path Finder

Hello,

I have logs coming from one of my applications were the events are structured differently. I want to extract "user" and "action" from these events, but the logs don't have a consistent pattern. I have written 3 different extractions for "user" and "actions", but when I use them in props.conf, not all the values are extracted. How can I extract these fields if they come in the events, but at different places?

My regex is mentioned below:

props.conf

[mysourcetype]
EXTRACT-user=^(?:[^\-\n]*\-){4}\d+>\s+<\w+\s+(?P[^ ]+)
EXTRACT-user=user:(?P\S+)(\s|\>)
EXTRACT-user=username\s(?P\S+)>

EXTRACT-action=\swas\s(?Plogin)\s
EXTRACT-action=\<(?P\S+)\ss
EXTRACT-action=\](?P\S+)\sJoined

I have also tried using transforms.conf, but no luck. Request your help.

0 Karma
1 Solution

dshpritz
SplunkTrust
SplunkTrust

Your extracts need to have different names, and you should use named capture groups, like so:

[mysourcetype]
EXTRACT-user0=^(?:[^\-\n]*\-){4}\d+>\s+<\w+\s+(?<user>[^ ]+)
EXTRACT-user1=user:(?<user>\S+)(\s|\>)
EXTRACT-user2=username\s(?<user>\S+)>

EXTRACT-action0=\swas\s(?<action>login)\s
EXTRACT-action1=\<(?<action>\S+)\ss
EXTRACT-action2=\](?<action>\S+)\sJoined

HTH,

Dave

View solution in original post

dshpritz
SplunkTrust
SplunkTrust

Your extracts need to have different names, and you should use named capture groups, like so:

[mysourcetype]
EXTRACT-user0=^(?:[^\-\n]*\-){4}\d+>\s+<\w+\s+(?<user>[^ ]+)
EXTRACT-user1=user:(?<user>\S+)(\s|\>)
EXTRACT-user2=username\s(?<user>\S+)>

EXTRACT-action0=\swas\s(?<action>login)\s
EXTRACT-action1=\<(?<action>\S+)\ss
EXTRACT-action2=\](?<action>\S+)\sJoined

HTH,

Dave

ppablo
Retired

Hi @splunk_kk

It'll be helpful if you could share some sample data for other users to help you with your regex syntax. Just be sure to anonymize sensitive data as needed before posting it.

Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...