Splunk Search

Need help regex

pavanbmishra
Path Finder

We need to capture field value for the below CEF log pattern 

CEF:0|vendor|product|1.1.0.15361|6099|DirectoryAssetSyncSucceeded|1|cn1label=EventUserId cn1=-3 cs1label=EventUserDisplayName cs1=Automated System cs2label=EventUserDomainName cs2= cn2label=AssetId cn2=16699 cs3label=AssetName cs3=ABC.LOCAL AD cn3label=AssetPartitionId cn3=7 cs4label=AssetPartitionName cs4=XYZ.LOCAL partition cs5label=TaskId cs5=9ec9aa87-61b9-11ec-926f-3123456edt

 

I am using the below regex 

(?:([\d\w]+)label=(?<_KEY_1>\S+))(?=.*\1=(?<_VAL_1>[^=]+)(?=$|\s+[\w\d]+=))

Unfortunatelly it is not taking the blank one, like cs2= , which doesn't contain anything so EventUserDomainName should be blank 

 

Kindly suggest 

Labels (1)
Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
(?:([\d\w]+)label=(?<_KEY_1>\S+))(?=.*\1=(?<_VAL_1>[^=]*?)(?=$|\s+[\w\d]+=))
0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...