Splunk Search
Highlighted

RegEx field extraction help

Path Finder

I have this raw data:

May 20 09:11:09 172.16.20.111 May 20 2013 09:11:09: %ASA-4-113019: Group = AC-Users, Username = <Unknown>, IP = 10.20.50.67, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:05m:03s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested

But when I attempt to extract out: or 10.20.50.67 or 0h:05m:03s, it does not appear in the list of identified fields. I think it has something to do with the equals sign. Most the time the contains a user's ID.

I tried like this:
(?i)\-Parent, (?P<AC-Users_Duration>[^,]+)

Any help is appreciated.

Tags (1)
0 Karma
Highlighted

Re: RegEx field extraction help

SplunkTrust
SplunkTrust

You should be able to grab them like this:

Username = (?<username>[^,]+)
IP = (?<ip>[^,]+)
Duration: (?<duration>[^,]+)

View solution in original post

Highlighted

Re: RegEx field extraction help

Path Finder

I tried with Duration, but it does not work, does not even show up.

The Username and IP it tries to classify them as a similar extracted field:

EXTRACT-Portal_User (?i) User <(?P<Portal_User>[^>]+)

EXTRACT-Portal_IP : (?i) IP <(?P<Portal_IP>[^>]+)

Does it have anything to do with the hyphen in the extraction field name?

Tried with this:
(?i)\-Users, Username = (?P<AnyConnectVPN_Users>[^,]+)

And it produced a proper but also a lot of blank lines on the table

0 Karma
Highlighted

Re: RegEx field extraction help

Ultra Champion

That regex does not add up with the sample logs you provided in your question.

So as martin_mueller so nicely described them - put this in your props.conf:

[your sourcetype]
EXTRACT-user = Username\s+=\s+(?<user>[^,]+)
EXTRACT-duration = Duration:\s+(?<dur>[^,]+)

Hope this helps,

/k

Highlighted

Re: RegEx field extraction help

Path Finder

I think I got it. Thanks martin_mueller

0 Karma
Highlighted

Re: RegEx field extraction help

Path Finder

how do you guys get the brackets and backslashes to show up in splunk base?

0 Karma
Highlighted

Re: RegEx field extraction help

SplunkTrust
SplunkTrust

Put four spaces in front of the line to get it to show as-is in a grey box like in my answer. Within a line, you can escape characters with a single backslash in front of them.

0 Karma