Hi, I am trying to extract the following
[04 May 2021 13:13:59,786] [Nsh-Proxy-Thread-93] [INFO] [abc@abc.com:abc:10.123.123.123] [BLSSOPROXY] Connected to sm478383922 with a socket descriptor 304
I want to extract the "[abc@abc.com:abc:10.123.123.123]" and destination "sm478383922" put it in a table form
Username | Group | Src Ip | Destination |
abc@abc.com | abc | 10.123.123.123 | sm478383922 |
can you guys help me how to achieve this in splunk search?
Hi @dbashyam
try this on your search
| rex field=_raw "(?<username>\w+@\w+.\w+):(?<group>\w+):(?<ip>\d+\.\d+.\d+.\d+)(?:[^:\n]*Connected){1}\s+\w+\s+(?<destination>\w+)"
Thanks you so much. It worked like a charm
Hi @dbashyam
try this on your search
| rex field=_raw "(?<username>\w+@\w+.\w+):(?<group>\w+):(?<ip>\d+\.\d+.\d+.\d+)(?:[^:\n]*Connected){1}\s+\w+\s+(?<destination>\w+)"
@aasabatini if I have any other string apart from "Connected", like copy, connecting, failed to connect etc., is there a way to add that condition? I tried the pipe symbol (for or) but it did not work
| rex field=_raw "(?<username>\w+@\w+.\w+):(?<group>\w+):(?<ip>\d+\.\d+.\d+.\d+)(?:[^:\n]*Connected){1}\s+\w+\s+(?<destination>\w+)"