Had the same issue until I put @xxx.yyy at the end of our O365 username and was able to start pulling message trace logs ... View more

+1 as also having the issue Any idea as to why the issue and if a solution exists? ... View more

Thx - will post as a separate question ... View more

Giuseppe, Thx for the reply and link to the "In-page Drilldown with Perma-Linking" report/search. I will check that out. ... View more

Thx Rich On a separate note, will the | bin span=5m _time get me a cluster of events within a 5 minute period, or do I need to leverage the transaction command? Thx again ... View more

This worked perfectly for me - thx for posting ... View more

Did you ever solve this issue? I tried using | mvexpand src_ip but that didn't grab all of the IP values Thx ... View more

Modified the regex to as follows - https://regex101.com/r/rYVwTS/6 - and I think it's extracting fields for all events. Weirdness with the icmp event as I think the 3 listed twice is the source and destination bytes. Can't find any clarifying documentation on Juniper's site other than this - https://forums.juniper.net/t5/Junos/What-is-the-log-format-for-deny-hosts-ACL/m-p/318906 - which talks about not icmp denied traffic, but I can live with it. Thx a million for the help! ... View more

This regex - https://regex101.com/r/rYVwTS/4 - doesn't pick up the dst_port for the 1st event and picks up the value on the 3rd event and assigns it to dst_port even though it's not. Thx ... View more

Thx for the regex - I added the src and dest ports capture groups: \s(?<filter>PFE_FW_SYSLOG_ETH.*:)\sFW:\s(?<src_interface>[^ ]+)\s.*(?<transport>tcp|udp|icmp)\s(?<src>(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$)\s(?<dst>(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})|(?:[0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}$)\s(?<src_port>[^ ]+)\s+(?<dest_port>[^ ]+)\s+ and the issue I have is that last event is not extracting fields https://regex101.com/r/rYVwTS/3 How does one account for K/V pairs that are sometimes there and sometimes not as the 3rd event does not have a src or dest port listed in the event? Thx ... View more

The problem I have is that the Juniper logs have different event types that every time I try and do on regex I miss some relevant events so I figured that breaking the regex down to simple field extractions and then building on that would ensure I extract K/V pairs for all relevant events. I wish I could write one regex that covers all events, but I'm not a regex guru I do not have a lookup table rewriting the src field. Would running btool show all knowledge objects (using grep for relevant fields)? Thx ... View more

Sample data: Aug 2 09:16:37 10.10.10.10 Aug 2 09:16:37 externals-cl fpc1 PFE_FW_SYSLOG_ETH_IP: FW: xe-1/0/0.0 D 0800 34:62:5a:74:8f:c3 -> 64:b2:9a:7e:1b:4a tcp 184.154.189.91 10.1.1.1 41860 465 (1 packets) Aug 2 09:23:13 10.10.10.10 Aug 2 09:23:13 externals-fq fpc0 PFE_FW_SYSLOG_ETH_IP: FW: xe-0/0/0.447 D 03af:0700 a6:e7:f2:2e:13:c7 -> 72:a3:9c:3a:22:00 icmp 185.176.27.46 10.1.1.1 44927 53389 (1 packets) Aug 2 10:00:42 10.10.10.10 Aug 2 10:00:42 externals-fq fpc2 PFE_FW_SYSLOG_ETH_IP: FW: et-2/1/0.716 D 02cc:0800 52:a2:2f:7a:1d:5a -> 84:c9:2b:9e:24:e6 icmp 10.1.1.2 10.1.1.1 3 3 (1 packets) src_interface_for_junos_fw and src_ip_for_junos_fw and stanza header names I assigned as I looked in the /opt/splunk/etc/apps/Splunk_TA_juniper/default directory to for some guidance ... View more

That worked I modified my search to: base search | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>([0-9a-f]|:){1,4}(:([0-9a-f]{0,4})*){1,7})" max_match=0 | mvexpand Framed_IPv6_Address | table Framed_IPv6_Address and all six IPv6 addresses were returned as values How do you recommend that I convert this to an automatic search time extraction? ... View more

Kamelsh, Please see reply to jnudell_2 as the suggested regex you provided (thx for that) is not pulling all six IPv6 addresses from the event Thx ... View more

Sanitized event is as follows: Jul 31 16:04:30 10.10.10.10 CISE_RADIUS_Accounting 0004688970 1 0 2019-07-31 16:04:30.979 -04:00 0161383501 3001 NOTICE Radius-Accounting: RADIUS Accounting stop request, ConfigVersionId=31, Device IP Address=10.10.10.10, UserName=blah@foo.com, RequestLatency=3, NetworkDeviceName=AA-AAA-CONTROLLERS, User-Name=blah@foo.com, NAS-IP-Address=10.10.10.10, NAS-Port=8, Framed-IP-Address=10.10.10.10, Class=CACS:9b09cd0a0025d10dc3cb415d:aa-ise-psn-01/353699673/4606862, Called-Station-ID=80-87-55-ag-bd-90, Called-Station-ID=80-87-55-ag-bd-90:WIRELESS-BLAH, Calling-Station-ID=38-33-0b-11-42-2g, NAS-Identifier=aa-blah-1.wlc8510, Acct-Status-Type=Stop, Acct-Delay-Time=0, Acct-Input-Octets=10144748, Acct-Output-Octets=172482276, Acct-Session-Id=4a31cbc2/13:83:0b:19:81:2f/4160511, Acct-Authentic=RADIUS, Acct-Session-Time=10376, Acct-Input-Packets=42627, Acct-Output-Packets=144424, Acct-Terminate-Cause=User Request, Acct-Input-Gigawords=0, Acct-Output-Gigawords=0, Event-Timestamp=1564603470, NAS-Port-Type=Wireless - IEEE 802.11, Tunnel-Type=(tag=0) VLAN, Tunnel-Medium-Type=(tag=0) 802, Tunnel-Private-Group-ID=(tag=0) 3317, Framed-IPv6-Address=2620:101:200a:6bf4:c:be6a:2e6e:a010, Framed-IPv6-Address=2620:101:200b:2bf3:420b:c23a:b26e:b3bc, Framed-IPv6-Address=fe63::a4:38f9:bcd2:213a, Framed-IPv6-Address=2620:101:200e:2bf2:11b9:ca2b:1cb:a30a, Framed-IPv6-Address=2620:102:400e:1cf5:c6:a9f1:2013:fbef, Framed-IPv6-Address=2610:101:200b:1df3:14ab:831f:981:cbc2, cisco-av-pair=audit-session-id=9b09cd0a0025d10dc3cb415d, cisco-av-pair=dhcp-option=host-name=users-iPhone, cisco-av-pair=http-tlv=User-Agent=Mozilla/5.0 (iPhone\; CPU iPhone OS 12_3_2 like Mac OS X) AppleWebKit/605.1.15 (KHTML\, like Gecko) Mobile/15E148, Airespace-Wlan-Id=1, AcsSessionID=aa-ise-psn-01/353699673/4971704, SelectedAccessService=Default Network Access, Step=11004, Step=11017, Step=15049, Step=15008, Step=22084, Step=11005, NetworkDeviceGroups=Location#All Locations#You Are Here#AA-WLC-Controllers, NetworkDeviceGroups=Device Type#All Device Types#Wireless#AA-Controllers, CPMSessionID=9b09cd0a0025d10dc3cb415d, Network Device Profile=Cisco, Location=Location#All Locations#You Are Here#AA-WLC-Controllers, Device Type=Device Type#All Device Types#Wireless#AA-Controllers, There are six IPv6 addresses that I should have values for the Framed-IPv6-Address field, but only the first one is returned. I tried running the regex kamlesh suggested - | rex field=_raw "Framed-IPv6-Address=(?<Framed_IPv6_Address>(?:[A-F0-9]{1,4}:){7}[A-F0-9]{1,4})" max_match=0 and I still only get one IPv6 address value returned Thx ... View more

TYVM Rich! ... View more

NP at all - added the (?J) as a global modifier at https://regex101.com/ and was able to match on both events - regular query and cache query. I modified the regex to remove 'host' as I am already pulling that via transforms.conf. Updated regex is: client\s@.+\s(?<src>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?<src_port>\d+).*\sdefault:\s(?<message_type>query)(: (?<query>\S+) (?<request_class_name>\w+)\s(?<record_type>\w+)\s(?<flag>(?:\+|\-)\S*) | \(cache\) '(?<query>[^\/]+)\/(?<record_type>[^\/]+)\/(?<request_class_name>[^']+)) Via props.conf and transforms.conf I am pulling the host as follows: [props.conf] TRANSFORMS-host = bluecat_dns-host FIELDALIAS-dns = host AS dns [transforms.conf] [bluecat_dns-host] DEST_KEY = MetaData:Host REGEX = \d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s(\S+)\s FORMAT = host::$1 With all of that, can I replace the extract in props.conf: EXTRACT-process,pid,src,src_port,query = \d{4}\-\d{2}\-\d{2}\s\d{2}\:\d{2}\:\d{2}\s\S+\s\S+\s(?P<process>\S+)\[(?<pid>\d+)\]\:\s+\S+\s+(?P<src>\S+)\#(?P<src_port>\S+)(\/\s|\s)\((?P<query>\S+)\) With the new extract: EXTRACT-src,src_port,message_type,query,request_class_name,record_type,flag,host = (?J) client\s@.+\s(?<src>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?<src_port>\d+).*\sdefault:\s(?<message_type>query)(: (?<query>\S+) (?<request_class_name>\w+)\s(?<record_type>\w+)\s(?<flag>(?:\+|\-)\S*) | \(cache\) '(?<query>[^\/]+)\/(?<record_type>[^\/]+)\/(?<request_class_name>[^']+)) Thx ... View more

Rich, Thx for the reply. Plugging in the regex you listed: (?J)client\s@.+\s(?<src>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})#(?<src_port>\d+).*\sdefault:\s(?<message_type>query)(: (?<query>\S+) (?<dns_request_class_name>\w+)\s(?<record_type>\w+)\s(?<flag>(?:\+|\-)\S*)\s\((?<host>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|(?:::)?(?:[a-zA-Z\d]{1,4}::?){1,7}[a-zA-Z\d]{0,4})\)| \(cache\) '(?<query>[^\/]+)\/(?<record_type>[^\/]+)\/(?<dns_request_class_name>[^']+)) Returns the following error from the point of '(?<query>[^\/]+)\/(?<record_type>[^\/]+)\/(?<dns_request_class_name>[^']+)) (? A subpattern name must be unique ) A subpattern name must be unique (? A subpattern name must be unique ) A subpattern name must be unique (? A subpattern name must be unique ) A subpattern name must be unique Thx ... View more