Hi everyone, i have a logs vpn format
2023-06-21T03:29:16+0000 [stdout#info] LOG ERR: 'LOG_DB RECORD {"username": "duocnv", "common_name": "duocnv", "start_time": 1687312988, "session_id": "aa2d4wW6GaPydjA4", "service": "VPN", "proto": "UDP", "port": "1194", "active": 1, "auth": 1, "version": "3.6.7", "gui_version": "OCmacOS_3.4.2-4547", "platform": "mac", "bytes_in": 1448266, "bytes_out": 15124146, "bytes_total": 16572412, "vpn_ip": "172.27.20.2", "duration": 5168, "node": "ip-10-250-101-154.ap-southeast-1.compute.internal", "timestamp": 1687318156}'
i used rex to extract field "vpn_ip" : index=openvpnas | rex field=_raw ".*\s"vpn_ip":\s*"(?<vpn_ip>[^"]+)"
But it show error Error in 'SearchParser': Missing a search command before '^'. Error at position '96' of search query 'search index=openvpnas | search LOG_DB RECORD | re...{snipped} {errorcontext = ublic_ip>[^"]+)"}'.
Can anyone help me
Hi @namlh,
you forgot to escape the quotes that are a special char in regex, so please try this regex:
| rex "\"vpn_ip\":\s+\"(?<vpn_ip>\d+\.\d+\.\d+\.\d+)"
that you can test at https://regex101.com/r/bb1CzY/1
Anyway, these seems to be json logs, in this case you could use "INDEXED_EXTRACTIONS = json" in the props.conf or the "spath command (https://docs.splunk.com/Documentation/Splunk/9.0.5/SearchReference/Spath) to jhave the same result without using a regex.
Ciao.
Giuseppe