- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Regex data from its position in string?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Regex data from its position in string?
Hi,
I have just installed Splunk as want to get some reports out of a Barracuda Spam firewall we have installed that sends all data to a syslog server. I have installed Splunk on the same machine as syslog so getting the file imported was easy.
The problem I am having is with trying to extract fields from the data as I can't seem to 'teach' the system the correct regex.
The following is an example line from syslog (anonomiyzed obviously):
Sep 24 15:34:59 192.168.0.1 inbound/pass1[26165]: 114-38-48-47.dynamic.hinet.net[114.38.48.47] 1285338898-663591fe0001-1ljPNx 1285338898 1285338899 RECV sender@domain.com receiver@domain.com 2 62 114.38.48.47
The data can be totally different which is why Splunk seems to have a problem with it, but the data is always in the same order:
Timestamp: Sep 24 15:34:59
Host: 192.168.0.1
Process: inbound/pass1[26165]:
Sender: 114-38-48-47.dynamic.hinet.net[114.38.48.47]
MessageID: 1285338898-663591fe0001-1ljPNx
StartTime: 1285338898
EndTime: 1285338899
Service: RECV
From: sender@domain.com
To: receiver@domain.com
ActionCode: 2
ReasonCode: 62
SenderIP: 114.38.48.47
It was all going well until I got to the ActionCode!
There is always whitespace between the 'parts' so am sure it is just a matter of getting the regex correct but am struggling.
Would appreciate some help.
Thanks.
Pete.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the replies.
Just to explain what I am trying...
I am in the Search window and then click next to one of the entries and select "Extract Fields". I have then highlighted the bit I want to extract and dragged it into the Example Values box. Finally, I have then gone through deleting the sample extractions that were wrong.
A pattern never correctly generates as the figures are so small, this is why I thought RegEx would be the correct way to look at the issue.
Twinspop - could you let me know where I should be using the regex as assumed it would have been when extracting but that just failed 🙂
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does it always log a single To address, or can you have multiple entries?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
\w+ \d+ \d{2}:\d{2}:\d{2} (?<host>[0-9.]+)\s+(?<process>\S+)\s+(?<sender>\S+)\s+(?<msgid>\S+)\s+(?<starttime>\d+)\s+(?<endtime>\d+)\s+(?<service>\S+)\s+(?<from>\S+)\s+(?<to>\S+)\s+(?<actioncode>\S+)\s+(?<reasoncode>\S+)\s+(?<senderip>[0-9.]+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you post the regex you tried?
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
Introducing the 2024 SplunkTrust!
