Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Regex help with Search time field extractions from syslog source

gsawyer1
Engager
‎11-07-2012 01:04 PM

I have a string of text from a syslog feed source:

Nov 8 16:16:51 192.168.2.10 Nov 8 16:16:19 SuperServer PES0: Site: Sitename,Server:

Srvr1,Domain: Default,Admin: user1,Policy has been fixed,Policyname - X

I am trying to extract the last three fields from this data, and I can't seem to get it to work. I'm only trying it out in Search first, but am thinking of using an EXTRACT in props.conf finally. The rest of the regex I have doublechecked, using a Perl Regex editor and RegExr, too. All of the syntax seems to be correct, until I try to extract the fields. Here's the regex with search command I have so far:

    Source=syslog | rex ".*,Admin:\s(?<user>\w+),(?<message>.*),(?<policy>.*)" | table user message policy

But my field extraction attempts here yield nothing so far. Any suggestions?

My follow on issue is that I get additional logs from this same source:

Nov 8 16:16:51 192.168.2.10 Nov 8 16:16:19 SuperServer PES0: MACHINE_NAME,Continue,,File Read,Begin: 2012-10-03 01:54:38,End: 2012-10-03 01:54:38,Rule: Log write - media,3196,C:/Windows/System32/svchost.exe,0,No Module Name,C:/Temp/filename.txt,User: SYSTEM,Domain: STANDALONE,Action Type:

Here is the regex I have so far to extract fields from it, too:

Source=syslog | rex ".*PES0:\s(?<machine>\w+),(?<srvr_action_taken>\w+),,(?<user_action_taken>\w+\s\w+),Begin:\.*Rule:\s(?<rule_used>.*),\d+,(?<process_called>.*),\d+,No\sModule\sName,(?<filename>.*),User:\s(?<user>\w+),Domain:\s(?<domain>\w+)" | table _time machine srvr_action_taken user_action_taken rule_used process_called filename user domain

(The table commands are just so I can view the output quickly.)

Also, any suggestions for how I should use these two regexes in a props.conf EXTRACT entry/stanza? I think that's probably the best way to proceed.

Would it make more sense to use a REPORT and have its transform employ DELIM instead?
IS there a way to use both of these regexes against one source, in an EXTRACT or REPORT or transform?

I imagine this will be an easy question for the Splunk Community, but the answer so far escapes me....Any help would be appreciated, I am just starting to learn Regex now....

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

emiller42
Motivator
‎11-07-2012 02:37 PM

The way you would implement these in your transforms/props.conf is as follows:

In transforms.conf you would actually define two separate transforms.

[foo]
REGEX = .*,Admin:\s(?<user>\w+),(?<message>.*),(?<policy>.*)

[bar]
REGEX = .*PES0:\s(?<machine>\w+),(?<srvr_action_taken>\w+),,(?<user_action_taken>\w+\s\w+),Begin:.*Rule:\s(?<rule_used>.*),\d+,(?<process_called>.*),\d+,No\sModule\sName,(?<filename>.*),User:\s(?<user>\w+),Domain:\s(?<domain>\w+)

Then in your props.conf you reference the above transforms like so:

[syslog]
REPORT-syslog = foo, bar

View solution in original post

Reply
Solved! Jump to solution
Solution

emiller42
Motivator
‎11-07-2012 02:37 PM

The way you would implement these in your transforms/props.conf is as follows:

In transforms.conf you would actually define two separate transforms.

[foo]
REGEX = .*,Admin:\s(?<user>\w+),(?<message>.*),(?<policy>.*)

[bar]
REGEX = .*PES0:\s(?<machine>\w+),(?<srvr_action_taken>\w+),,(?<user_action_taken>\w+\s\w+),Begin:.*Rule:\s(?<rule_used>.*),\d+,(?<process_called>.*),\d+,No\sModule\sName,(?<filename>.*),User:\s(?<user>\w+),Domain:\s(?<domain>\w+)

Then in your props.conf you reference the above transforms like so:

[syslog]
REPORT-syslog = foo, bar
Reply
Solved! Jump to solution

gsawyer1
Engager
‎11-09-2012 07:14 AM

When I used the regex(s) in transforms, I had to put quotes around each comma. Not so when I used the rex command in Search. I also had to change a couple more "\w+" to ".*?" to capture all of the data to their fields.

Either way, thanks to both Rob and emiller42 for their help. It felt good when things started working....
Thanks!! I have a follow-on question I am posting right now, called, "Subsequent transform of an extracted field?" if anyone wants to help....

0 Karma
Reply
Solved! Jump to solution

Rob
Splunk Employee
Splunk Employee
‎11-07-2012 01:15 PM

Your rex command might be missing the parameter for the field to extract from. Take a look at the docs here for the rex command:

In this case, try using the following snippet (remove the # symbols due to formatting):

| rex field=_raw ".*,Admin:\s(?<#user>\w+),(?<#message>.*),(?<#policy>.*)"
0 Karma
Reply
Solved! Jump to solution

Rob
Splunk Employee
Splunk Employee
‎11-07-2012 02:40 PM

Also, I forgot to mention that you will want to make sure that field discovery is turned on if you are using Splunk version <5.0 or your fields will not be extracted.

0 Karma
Reply
Solved! Jump to solution

Rob
Splunk Employee
Splunk Employee
‎11-07-2012 02:11 PM

The regex you are using for the first example should be ok. The only improvement I could suggest is to make the second field (message) not greedy with (?.*?). With the second regex, it looks like it just needs a few touches (There was an escaped dot in there):

|rex field=_raw .*PES0:\s(?<machine>\w+),(?<srvr_action_taken>\w+),,(?<user_action_taken>\w+\s\w+),Begin:.*?Rule:\s(?<rule_used>.*?),\d+,(?<process_called>.*?),\d+,No\sModule\sName,(?<filename>.*?),User:\s(?<user>\w+),Domain:\s(?<domain>\w+)
0 Karma
Reply
Solved! Jump to solution

gsawyer1
Engager
‎11-07-2012 01:23 PM

It would be great if that was the issu, and thanks for the clarification about specifying the field - I've seen so many examples here by now that my head is swimming with them, but I did actually already try specifying field=_raw - but my field count still doesn't increase, and my table command shows the headings I specified, but no data in them, still....

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...