Hello, I'm trying to analyze WatchGuard firewall logs received by Splunk using syslog on udp 514 port. I was able to find a well working regex to use in a search using the following rex command in order to extract needed fields : * | rex field=_raw ".*\s(?<HOSTNAME>\S+)\s(?<PROCESS>\S+):\s.*\s(?<DISPOSITION>(Allow|Deny))\s(?<SRC_INT>\S+)\s(?<DST_INT>\S+)\s.*(?<PR>(icmp|igmp|tcp|udp)).*\s(?<SRC_IP>[[octet]](?:\.[[octet]]){3})\s(?<DST_IP>[[octet]](?:\.[[octet]]){3})\s(?<SRC_PORT>\d{1,5})\s(?<DST_PORT>\d{1,5})\s.*\((?P<RULE_NAME>.*)?(-00)\)$" | table HOSTNAME,PROCESS,DISPOSITION,SRC_INT,DST_INT,PR,SRC_IP,DST_IP,SRC_PORT,DST_PORT,RULE_NAME Result is a table as we can see in attachment. Now, in order to optimize all of that, i would like to be able to extract all these fields automatically without having the need to use a rex command in each search i run... i tryed using the Splunk Field extraction wizard, both using the automatic regex generator and by copy paste my search regex, but no success... i suppose i missed something somewhere ? thanks for your help Florent
... View more