Splunk Search

RegeEx help for Cisco logs

dewald13
Path Finder

I am trying to create an "action" field extraction to grab "permitted/denied" from my Cisco device logs. I can get this "(?i)-INGRESS (?P[^ ]+)" to match the majority of the fields but still not 100%. Any help is greatly appreciated!

EXAMPLE LOGS

Apr 4 13:37:55 XXX-gw 28127310: Apr 4 13:39:26.000:%FMANFP-6-IPACCESSLOGP: F0: fman_fp_image: list GLOBAL-INGRESS denied tcp XXX.XX.9.XXX(53165) -> 132.X.X.X(25), 1 packet

Apr 4 13:37:55 XXX-usr-250.grace.ad.XX.XXX 192461: Apr 4 13:39:26:%SEC-6-IPACCESSLOGS: list 15 permitted XX.16.XX.X 1 packet

Apr 4 13:37:55 XXX-sdp 23211: Apr 4 13:39:25.975:%SEC-6-IPACCESSLOGNP: list NTPPEER denied 0 XXX.XX.2.X -> XXX.XXX.X.XX,1 packet

0 Karma
1 Solution

dewald13
Path Finder

The following regex eneded up working perfectly

(?i) list[ ].+?

View solution in original post

0 Karma

dewald13
Path Finder

The following regex eneded up working perfectly

(?i) list[ ].+?

0 Karma

tgow
Splunk Employee
Splunk Employee

This is tricky but does have some consistency. The string ": list (some word) is consistent so I would try this for the regex:

(?i):\s+list\s+\S+\s+(?<fieldname>[^ ]+)\s+

Hope that helps.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...