Splunk Search

How to deal with empty field extractions in regex

responsys_cm
Builder

Here is an example log entry I'm trying to do field extractions from:

2012 Jun 22 11:15:08 server.company.com [authpriv.notice] sshd[8410]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.company.com user=joe

In all of the events I've seen, the logname= and ruser= fields are always empty. But I cannot be sure that they will always be empty in future events. If I do a field extraction like the following, it never matches:

failure;\slogname\=(?P[^\s]+)\suid\=(?P\d+)

Why won't the logname=(one or more characters that aren't a space) work? And how can I work around it?

Thx.

Craig

Tags (1)
0 Karma
1 Solution

gkanapathy
Splunk Employee
Splunk Employee
failure;\slogname\=(?P<logname>\S*)\s+suid\=(?P<uid>\d+)

would be simpler.

View solution in original post

gkanapathy
Splunk Employee
Splunk Employee
failure;\slogname\=(?P<logname>\S*)\s+suid\=(?P<uid>\d+)

would be simpler.

responsys_cm
Builder

I figured it out. I have to do:

failure;\slogname\=(?P[^\s]+)?\suid\=(?P<uid.\d+)

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...