Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

RegEx field extraction help

pdgill314
Path Finder
‎05-20-2013 07:29 AM

I have this raw data:

May 20 09:11:09 172.16.20.111 May 20 2013 09:11:09: %ASA-4-113019: Group = AC-Users, Username = <Unknown>, IP = 10.20.50.67, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:05m:03s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested

But when I attempt to extract out: or 10.20.50.67 or 0h:05m:03s, it does not appear in the list of identified fields. I think it has something to do with the equals sign. Most the time the contains a user's ID.

I tried like this:
(?i)\-Parent, (?P<AC-Users_Duration>[^,]+)

Any help is appreciated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-20-2013 08:22 AM

You should be able to grab them like this:

Username = (?<username>[^,]+)
IP = (?<ip>[^,]+)
Duration: (?<duration>[^,]+)

View solution in original post

Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-20-2013 08:22 AM

You should be able to grab them like this:

Username = (?<username>[^,]+)
IP = (?<ip>[^,]+)
Duration: (?<duration>[^,]+)
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎05-20-2013 01:29 PM

Put four spaces in front of the line to get it to show as-is in a grey box like in my answer. Within a line, you can escape characters with a single backslash in front of them.

0 Karma
Reply
Solved! Jump to solution

alexl1
Path Finder
‎05-20-2013 11:34 AM

how do you guys get the brackets and backslashes to show up in splunk base?

0 Karma
Reply
Solved! Jump to solution

pdgill314
Path Finder
‎05-20-2013 08:51 AM

I think I got it. Thanks martin_mueller

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎05-20-2013 08:45 AM

That regex does not add up with the sample logs you provided in your question.

So as martin_mueller so nicely described them - put this in your props.conf:

[your sourcetype]
EXTRACT-user = Username\s+=\s+(?<user>[^,]+)
EXTRACT-duration = Duration:\s+(?<dur>[^,]+)

Hope this helps,

/k

Reply
Solved! Jump to solution

pdgill314
Path Finder
‎05-20-2013 08:33 AM

I tried with Duration, but it does not work, does not even show up.

The Username and IP it tries to classify them as a similar extracted field:

EXTRACT-Portal_User (?i) User <(?P<Portal_User>[^>]+)

EXTRACT-Portal_IP : (?i) IP <(?P<Portal_IP>[^>]+)

Does it have anything to do with the hyphen in the extraction field name?

Tried with this:
(?i)\-Users, Username = (?P<AnyConnectVPN_Users>[^,]+)

And it produced a proper but also a lot of blank lines on the table

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...