Splunk Search

How to edit my regex to extract fields from my sample data?

fmpa_isaac
Path Finder

Hello,

I am trying to build a regex to extract fields from my data below. I am not a programmer so I am not too familiar with building and troubleshooting the expression. I was able to build one with the Splunk regex builder all the way until I got to the Cardholder name which is where I get the following error message:

The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings.

Can someone please assist me with completing the regex for the last two fields I need to extract? Here is what I have so far and the data below it. Thank you

^\s+\w+\s+#\s+(?P<Event>[^ ]+)\s+(?P<Title>\w+\s+\w+\s+\w+)\s+(?P<Date_Event>\d+/\d+/\d+\s+\w+\s+\d+:\d+:\d+)\s+\w+\s+(?P<Access>\w+)\s+\w+\s+\w+\s+(?P<Access_Point>\w+\s+\w+)

-
  EVENT #  175121            LOCAL ACCESS REPORT       2013/01/20 Sun 05:17:37
 ACCESS AUTHORIZED
  ACCESS POINT  LOBBY BACK       SECURITY AREA  EXTERIOR DOO     D001 R02
  CARDHOLDER NAME:  Arntz, Jim
  ACCESS POINT DESCRIPTION: RDR 250-0-2
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi fmpa_issac,

this should do it:

 ^\s+\w+\s+#\s+(?P<Event>[^ ]+)\s+(?P<Title>\w+\s+\w+\s+\w+)\s+(?P<Date_Event>\d+\/\d+\/\d+\s+\w+\s+\d+:\d+:\d+)\s+\w+\s+(?P<Access>\w+)\s+\w+\s+\w+\s+(?P<Access_Point>\w+\s+\w+)\s+(?P<where>\w+\s\w+\s+\w+)\s(?P<security_area>\w+\s+\w+\s\w+)\s+\s\w+\s\w+:\s+(?P<Cardholder_name>\w+,\s\w+)\s+\w+\s\w+\s\w+:\s(?P<Access_point_describtion>[^$]+)

The problem was the / which needs to be escaped like this \/

You can test the regex on www.regex101.com

Hope this helps ...

cheers, MuS

View solution in original post

MuS
SplunkTrust
SplunkTrust

Hi fmpa_issac,

this should do it:

 ^\s+\w+\s+#\s+(?P<Event>[^ ]+)\s+(?P<Title>\w+\s+\w+\s+\w+)\s+(?P<Date_Event>\d+\/\d+\/\d+\s+\w+\s+\d+:\d+:\d+)\s+\w+\s+(?P<Access>\w+)\s+\w+\s+\w+\s+(?P<Access_Point>\w+\s+\w+)\s+(?P<where>\w+\s\w+\s+\w+)\s(?P<security_area>\w+\s+\w+\s\w+)\s+\s\w+\s\w+:\s+(?P<Cardholder_name>\w+,\s\w+)\s+\w+\s\w+\s\w+:\s(?P<Access_point_describtion>[^$]+)

The problem was the / which needs to be escaped like this \/

You can test the regex on www.regex101.com

Hope this helps ...

cheers, MuS

fmpa_isaac
Path Finder

Excellent answer, thank you so much MuS.

0 Karma

fmpa_isaac
Path Finder

Hi MuS,

Do you see anything wrong with this one?

^(?P\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P[^ ]+)\s+(?P\w+\s+\d+)\s+(?P[^ ]+)[^:\n]*:\s+(?P\[\w+\s+\w+\s+\w+\s+\([a-f0-9]+\-\d+\-[a-f0-9]+\-\d+\-[a-f0-9]+\)\]\[\w+\s+\-\s+\w+\s+\w+\])(?:[^ \n]* ){3}(?P[^,]+)[^,\n]*,\s+\w+:\s+(?P[^,]+),\s+\w+:\s+(?P[^,]+)[^:\n]*:\s+(?P\w+)
0 Karma

ppablo
Retired

Hi @fmpa_isaac

I already edited your comment for you, but for future reference, to make sure all characters in your regex show up properly on this site, you have to highlight the entire regular expression and press the "Code Sample" button in the text editing tools above the text box. Your backslashes and asterisks weren't showing originally, but now they are 🙂 Cheers!

Patrick

0 Karma

fmpa_isaac
Path Finder

Patrick,

Thanks for your help. I don't know how to manually build a regex and because the field names were edited out, I don't know what to make of it. Here is the data I am trying to create a regex for and see below how far along I was able to get with the Splunk builder. Can you assist with that? I appreciate it.

Jan 7 10:34:22 172.20.1.62 Jan 7 14:34:23 DSO-TW-ASA-Prim-SFR SFIMS: [Primary Detection Engine (252a23cc-7196-11e4-8256-c709c2db90d1)][FMPA - Main Policy] Connection Type: End, User: fred, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: Malware | URL Monitor, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Government, URL Reputation: High risk, URL: https://sharepoint.fmpa.com, Interface Ingress: MPLS-MFN, Interface Egress: RouterNet, Security Zone Ingress: N/A, Security Zone Egress: N/A, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 9, Responder Packets: 9, Initiator Bytes: 2457, Responder Bytes: 2974, Context: unknown {TCP} 172.23.3.151:60442 -> 10.0.0.88:443

Regex:

^(?P<Extract_Date>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<Host>[^ ]+)\s+(?P<Date>\w+\s+\d+)\s+(?P<Time>[^ ]+)[^:\n]*:\s+(?P<DSO>\[\w+\s+\w+\s+\w+\s+\([a-f0-9]+\-\d+\-[a-f0-9]+\-\d+\-[a-f0-9]+\)\]\[\w+\s+\-\s+\w+\s+\w+\])(?:[^ \n]* ){3}(?P<Connection_Type>[^,]+)[^,\n]*,\s+\w+:\s+(?P<User>[^,]+),\s+\w+:\s+(?P<Client>[^,]+)[^:\n]*:\s+(?P<App_Protocol>\w+)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...