Splunk Enterprise

How to extract some field from below logs format?

syazwani
Path Finder

Hi, 

I need help to extract some field from below logs format. (Im so bad at this).

Oct 11 16:06:24 123.12.123.12 SVPN-USR[29489]: {"id":"6767676767","msgid":"6767676767","userInfo":{"userName":"wani","groupId":1519,"groupPath":"/Group ADL/SSAeF","authMethods":""},"clientInfo":{"ip":"123.12.123.12","vip":"123.12.123.12","osType":"WINDOWS","macAddr":"","deviceID":""},"msg":"[accessIP: 123.12.123.129 virtualIP: 123.12.123.12] User wani for session XXXXXXXXXXXX visit ip source ->ip 123.12.123.12 port 10123!","timeStamp":1665475584,"time":"2022-10-11 16:06:24","type":"userlog","logSubType":"access_resource","rcip":"123.12.123.12","actionResult":"success"}

 

Oct 11 16:06:24 123.12.123.12 SVPN-USR[29489]: {"id":"6767676767","msgid":"6767676767","userInfo":{"userName":"wani","groupId":1477,"groupPath":"/Group ADL/SSADS","authMethods":""},"clientInfo":{"ip":"123.12.123.12","vip":"123.12.123.12","osType":"WINDOWS","macAddr":"","deviceID":""},"msg":"[accessIP: 123.12.123.12 virtualIP: 123.12.123.12] User wani for session XXXXXXXXXXXX visit ip source ->ip 123.12.123.12 port 443!","timeStamp":1665475584,"time":"2022-10-11 16:06:24","type":"userlog","logSubType":"access_resource","rcip":"123.12.123.12","actionResult":"success"}

 

I want to extract the action result value, for example:

action_result = success

 

Please help!

Labels (1)
0 Karma

GaetanVP
Contributor

Hello @syazwani ,

I am also pretty bad at it, but you can try to use this regex below :

 

"actionResult":"(?<action_result>\w+)

 

This should capture "success" (or "failure" I suppose) within a group called "action_result"

Hope it helps,
GaetanVP 

0 Karma
Get Updates on the Splunk Community!

Why You Can't Miss .conf25: Unleashing the Power of Agentic AI with Splunk & Cisco

The Defining Technology Movement of Our Lifetime The advent of agentic AI is arguably the defining technology ...

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...