Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Regex data from its position in string?

pshankland
New Member
‎09-24-2010 02:46 PM

Hi,

I have just installed Splunk as want to get some reports out of a Barracuda Spam firewall we have installed that sends all data to a syslog server. I have installed Splunk on the same machine as syslog so getting the file imported was easy.

The problem I am having is with trying to extract fields from the data as I can't seem to 'teach' the system the correct regex.

The following is an example line from syslog (anonomiyzed obviously):

Sep 24 15:34:59 192.168.0.1 inbound/pass1[26165]: 114-38-48-47.dynamic.hinet.net[114.38.48.47] 1285338898-663591fe0001-1ljPNx 1285338898 1285338899 RECV sender@domain.com receiver@domain.com 2 62 114.38.48.47

The data can be totally different which is why Splunk seems to have a problem with it, but the data is always in the same order:

Timestamp:  Sep 24 15:34:59
Host:  192.168.0.1
Process:  inbound/pass1[26165]:
Sender:  114-38-48-47.dynamic.hinet.net[114.38.48.47]
MessageID:  1285338898-663591fe0001-1ljPNx
StartTime:  1285338898
EndTime:  1285338899
Service:  RECV
From:  sender@domain.com
To:  receiver@domain.com
ActionCode:  2
ReasonCode:  62
SenderIP:  114.38.48.47

It was all going well until I got to the ActionCode!

There is always whitespace between the 'parts' so am sure it is just a matter of getting the regex correct but am struggling.

Would appreciate some help.

Thanks.

Pete.

Tags (1)
0 Karma
Reply

pshankland
New Member
‎09-28-2010 04:07 PM

Thanks for the replies.

Just to explain what I am trying...

I am in the Search window and then click next to one of the entries and select "Extract Fields". I have then highlighted the bit I want to extract and dragged it into the Example Values box. Finally, I have then gone through deleting the sample extractions that were wrong.

A pattern never correctly generates as the figures are so small, this is why I thought RegEx would be the correct way to look at the issue.

Twinspop - could you let me know where I should be using the regex as assumed it would have been when extracting but that just failed 🙂

Thanks.

0 Karma
Reply

southeringtonp
Motivator
‎09-24-2010 05:59 PM

Does it always log a single To address, or can you have multiple entries?

0 Karma
Reply

twinspop
Influencer
‎09-24-2010 05:43 PM 
\w+ \d+ \d{2}:\d{2}:\d{2} (?<host>[0-9.]+)\s+(?<process>\S+)\s+(?<sender>\S+)\s+(?<msgid>\S+)\s+(?<starttime>\d+)\s+(?<endtime>\d+)\s+(?<service>\S+)\s+(?<from>\S+)\s+(?<to>\S+)\s+(?<actioncode>\S+)\s+(?<reasoncode>\S+)\s+(?<senderip>[0-9.]+)
0 Karma
Reply

christopherutz
Path Finder
‎09-24-2010 03:26 PM

Can you post the regex you tried?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...