Splunk Search

How to write the regular expression to extract these fields from my sample data?

kschmeling
New Member

Hello,

I'm trying to create a regex to extract the fields to the follow logs:

Example 1

msg=O equipamento marte (192.168.0.1) recuperou a conectividade SSH suid=7 sname=Script Assíncrono: 10 suser= spid=17025 dst=192.168.0.2 dhost=marte dport=22

Example 2

msg=Sessao iniciada para marte (192.168.0.1) - Usuario Privilegiado TPL - root pelo usuario Usuario Teste (usuario.teste) suid=297 sname=Usuario Teste suser=usuario.teste spid=14410 dst=192.168.0.1 dpt=22 duser=root

I need to extract the fields like that:

Example 1

msg=O equipamento marte (192.168.0.1) recuperou a conectividade SSH
suid=7
sname=Script Assíncrono: 10
suser=
spid=17025
dst=192.168.0.2
dhost=marte
dport=22

Example 2

msg=Sessao iniciada para marte (192.168.0.1) - Usuario Privilegiado TPL - root pelo usuario Usuario Teste (usuario.teste)
suid=297
sname=Usuario Teste
suser=usuario.teste
spid=14410
dst=192.168.0.1
dpt=22
duser=root

I'm using https://regex101.com/ to help me

Any help is appreciated

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

The examples are little different, which makes finding a common regex string tricky, but I believe this will work.

"msg=(?<msg>.*?) suid=(?<suid>\d+) sname=(?<sname>.*?) suser=(?<suser>.*) spid=(?<spid>\d+) dst=(?<dst>[^ ]+) (dhost=(?<dhost>.*?) dport=(?<dport>\d+))?(dpt=(?<dpt>\d+) duser=(?<duser>.*))?"
---
If this reply helps you, Karma would be appreciated.

View solution in original post

rahulrawlani
Explorer

Hello Friend,

If you want to extract the fields for both the events with one regex, then try using the below regex

.*msg\=(?.*)?suid\=(?\d+)?\ssname\=(?.*)?suser\=(?.*)?\sspid\=(?\d+)\sdst\=(?\d+\.\d+\.\d+\.\d+)\s(?:dhost\=(?\w+)\sdport\=(?\d+)|(?:dpt\=(?\d+)\sduser\=(?\w+)))

Let me know if that works for you.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The examples are little different, which makes finding a common regex string tricky, but I believe this will work.

"msg=(?<msg>.*?) suid=(?<suid>\d+) sname=(?<sname>.*?) suser=(?<suser>.*) spid=(?<spid>\d+) dst=(?<dst>[^ ]+) (dhost=(?<dhost>.*?) dport=(?<dport>\d+))?(dpt=(?<dpt>\d+) duser=(?<duser>.*))?"
---
If this reply helps you, Karma would be appreciated.

kschmeling
New Member

Perfect, it's working. The trick is this expression:

(dhost=(?<dhost>.*?) dport=(?<dport>\d+))?(dpt=(?<dpt>\d+) duser=(?<duser>.*))?

Thanks a lot!

0 Karma

Richfez
SplunkTrust
SplunkTrust

I am surprised this isn't happening automatically. Under normal circustances, Splunk would find any "key=value" pairs in inputs.

Have you repeated your search in Verbose mode to make sure you can see the fields it's already found?

0 Karma

richgalloway
SplunkTrust
SplunkTrust

I believe the default parser uses space as a delimiter so he'd end up with 'msg=O' and 'msg=Sessao'.

---
If this reply helps you, Karma would be appreciated.
0 Karma

kschmeling
New Member

Yes, Splunk give me this results:

msg=O
msh=Sessao
sname=Script
sname=Usuario

0 Karma

Richfez
SplunkTrust
SplunkTrust

Yes, I realized that would have been the case after I had another cup of coffee and the wonderfully talented richgalloway reminded me of same. 🙂

There should be an answer below - give it a try and if it works for you, please accept it!

Happy Splunking!

-Rich

0 Karma
Get Updates on the Splunk Community!

Get ready to show some Splunk Certification swagger at .conf24!

Dive into the deep end of data by earning a Splunk Certification at .conf24. We're enticing you again this ...

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Now On-Demand Join us to learn more about how you can leverage Service Level Objectives (SLOs) and the new ...

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...