Hello,
I am trying to build a regex to extract fields from my data below. I am not a programmer so I am not too familiar with building and troubleshooting the expression. I was able to build one with the Splunk regex builder all the way until I got to the Cardholder name which is where I get the following error message:
The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.
Can someone please assist me with completing the regex for the last two fields I need to extract? Here is what I have so far and the data below it. Thank you
^\s+\w+\s+#\s+(?P<Event>[^ ]+)\s+(?P<Title>\w+\s+\w+\s+\w+)\s+(?P<Date_Event>\d+/\d+/\d+\s+\w+\s+\d+:\d+:\d+)\s+\w+\s+(?P<Access>\w+)\s+\w+\s+\w+\s+(?P<Access_Point>\w+\s+\w+)
-
EVENT # 175121 LOCAL ACCESS REPORT 2013/01/20 Sun 05:17:37
ACCESS AUTHORIZED
ACCESS POINT LOBBY BACK SECURITY AREA EXTERIOR DOO D001 R02
CARDHOLDER NAME: Arntz, Jim
ACCESS POINT DESCRIPTION: RDR 250-0-2
Hi fmpa_issac,
this should do it:
^\s+\w+\s+#\s+(?P<Event>[^ ]+)\s+(?P<Title>\w+\s+\w+\s+\w+)\s+(?P<Date_Event>\d+\/\d+\/\d+\s+\w+\s+\d+:\d+:\d+)\s+\w+\s+(?P<Access>\w+)\s+\w+\s+\w+\s+(?P<Access_Point>\w+\s+\w+)\s+(?P<where>\w+\s\w+\s+\w+)\s(?P<security_area>\w+\s+\w+\s\w+)\s+\s\w+\s\w+:\s+(?P<Cardholder_name>\w+,\s\w+)\s+\w+\s\w+\s\w+:\s(?P<Access_point_describtion>[^$]+)
The problem was the /
which needs to be escaped like this \/
You can test the regex on www.regex101.com
Hope this helps ...
cheers, MuS
Hi fmpa_issac,
this should do it:
^\s+\w+\s+#\s+(?P<Event>[^ ]+)\s+(?P<Title>\w+\s+\w+\s+\w+)\s+(?P<Date_Event>\d+\/\d+\/\d+\s+\w+\s+\d+:\d+:\d+)\s+\w+\s+(?P<Access>\w+)\s+\w+\s+\w+\s+(?P<Access_Point>\w+\s+\w+)\s+(?P<where>\w+\s\w+\s+\w+)\s(?P<security_area>\w+\s+\w+\s\w+)\s+\s\w+\s\w+:\s+(?P<Cardholder_name>\w+,\s\w+)\s+\w+\s\w+\s\w+:\s(?P<Access_point_describtion>[^$]+)
The problem was the /
which needs to be escaped like this \/
You can test the regex on www.regex101.com
Hope this helps ...
cheers, MuS
Excellent answer, thank you so much MuS.
Hi MuS,
Do you see anything wrong with this one?
^(?P\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P[^ ]+)\s+(?P\w+\s+\d+)\s+(?P[^ ]+)[^:\n]*:\s+(?P\[\w+\s+\w+\s+\w+\s+\([a-f0-9]+\-\d+\-[a-f0-9]+\-\d+\-[a-f0-9]+\)\]\[\w+\s+\-\s+\w+\s+\w+\])(?:[^ \n]* ){3}(?P[^,]+)[^,\n]*,\s+\w+:\s+(?P[^,]+),\s+\w+:\s+(?P[^,]+)[^:\n]*:\s+(?P\w+)
Hi @fmpa_isaac
I already edited your comment for you, but for future reference, to make sure all characters in your regex show up properly on this site, you have to highlight the entire regular expression and press the "Code Sample" button in the text editing tools above the text box. Your backslashes and asterisks weren't showing originally, but now they are 🙂 Cheers!
Patrick
Patrick,
Thanks for your help. I don't know how to manually build a regex and because the field names were edited out, I don't know what to make of it. Here is the data I am trying to create a regex for and see below how far along I was able to get with the Splunk builder. Can you assist with that? I appreciate it.
Jan 7 10:34:22 172.20.1.62 Jan 7 14:34:23 DSO-TW-ASA-Prim-SFR SFIMS: [Primary Detection Engine (252a23cc-7196-11e4-8256-c709c2db90d1)][FMPA - Main Policy] Connection Type: End, User: fred, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: Malware | URL Monitor, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Government, URL Reputation: High risk, URL: https://sharepoint.fmpa.com, Interface Ingress: MPLS-MFN, Interface Egress: RouterNet, Security Zone Ingress: N/A, Security Zone Egress: N/A, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 9, Responder Packets: 9, Initiator Bytes: 2457, Responder Bytes: 2974, Context: unknown {TCP} 172.23.3.151:60442 -> 10.0.0.88:443
Regex:
^(?P<Extract_Date>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<Host>[^ ]+)\s+(?P<Date>\w+\s+\d+)\s+(?P<Time>[^ ]+)[^:\n]*:\s+(?P<DSO>\[\w+\s+\w+\s+\w+\s+\([a-f0-9]+\-\d+\-[a-f0-9]+\-\d+\-[a-f0-9]+\)\]\[\w+\s+\-\s+\w+\s+\w+\])(?:[^ \n]* ){3}(?P<Connection_Type>[^,]+)[^,\n]*,\s+\w+:\s+(?P<User>[^,]+),\s+\w+:\s+(?P<Client>[^,]+)[^:\n]*:\s+(?P<App_Protocol>\w+)