Splunk Search

help me in writing Regex for the below data

vikram1583
Explorer

<37>Aug 27 10:52:59 DC1TPSMS02 CEF:0|TippingPoint|UnityOne|1.0.0.17|7611|Suspicious Country Blacklist|1|app=IP cnt=1 dst=192.54.112.30 dpt=53 act=Block cn1=0 cn1Label=VLAN ID cn2=33554431 cn2Label=Taxonomy cn3=0

from above data i want to extract below line

Aug 27 10:52:59 DC1TPSMS02 CEF:0|TippingPoint

Tags (1)
0 Karma
1 Solution

Sukisen1981
Champion

hi @vikram1583
Please see below screen shot from my and @jpolvino 's rexes, see the author field in first query and extract field in the second query.
Where are you checking for the these fields after you run your rex?Please hardcode first n confirm that the author or extract filed output is what you need

alt text

View solution in original post

Sukisen1981
Champion

hi @vikram1583
both solutions given by me and @jpolvino work
have you tried the makeresults one, use it as it is? can you paste the screen shot of your output?
there is no way the makeresults won't work - I have hardcoded the text, please run the code and give us the snapshot of the statistics tab output

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...