Solved: How to extract a field from a Juniper log?

bbsplunklog · ‎03-12-2018

I'm trying to extract a field from a Juniper log. An event would end with something like this:
reason=Close - RESP\x00
reason=Close - AGE OUT\x00
reason=Close - TCP FIN\x00
reason=Close - TCP RST\x00

I wanted to extract this using this regex (reason=.*) which works fine on https://regexr.com/
However on Splunk it will only captuture "reason=Close".

Sukisen1981 · ‎03-12-2018

rex field=_raw "reason=(?.*)"

Assuming the lines are from your raw events or just replace raw by the specific field name which contains reason events

View solution in original post

Sukisen1981 · ‎03-12-2018

rex field=_raw "reason=(?.*)"

Assuming the lines are from your raw events or just replace raw by the specific field name which contains reason events

bbsplunklog · ‎03-12-2018

Same. It only captures "reason-Close" and not the rest of the phrase.
Here's a sample log which might help:
2018-03-12 09:35:07 Local0.Notice 10.1.67.249 SSG350M: NetScreen device_id=JN1234567ADE [Root]system-notification-00257(traffic): start_time="2018-03-12 09:35:05" duration=2 policy_id=2 service=https proto=6 src zone=Trust dst zone=Untrust action=Permit sent=2554 rcvd=19651 src=10.4.64.146 dst=2.2.2.2 src_port=56573 dst_port=443 src-xlated ip=1.1.1.1 port=18924 dst-xlated ip=3.3.3.3 port=443 session_id=119237 reason=Close - TCP RST\x00
2018-03-12 09:35:07 Local0.Notice 10.1.67.249 SSG350M: NetScreen device_id=JN1234567ADE [Root]system-notification-00257(traffic): start_time="2018-03-12 09:35:06" duration=1 policy_id=8 service=https proto=6 src zone=Trust dst zone=Untrust action=Permit sent=1847 rcvd=5637 src=10.6.64.106 dst=4.4.4.4 src_port=49751 dst_port=443 src-xlated ip=1.1.1.1 port=4501 dst-xlated ip=4.4.4.4 port=443 session_id=120720 reason=Close - TCP FIN\x00
2018-03-12 09:35:07 Local0.Notice 10.1.67.249 SSG350M: NetScreen device_id=JN1234567ADE [Root]system-notification-00257(traffic): start_time="2018-03-12 09:34:07" duration=60 policy_id=6 service=dns proto=17 src zone=Trust dst zone=Untrust action=Permit sent=132 rcvd=0 src=10.12.64.2 dst=6.6.6.6 src_port=57077 dst_port=53 src-xlated ip=3.3.3.3 port=25460 dst-xlated ip=5.5.5.5 port=53 session_id=122451 reason=Close - AGE OUT\x00
2018-03-12 09:35:07 Local0.Notice 10.1.67.249 SSG350M: NetScreen device_id=JN1234567ADE [Root]system-notification-00257(traffic): start_time="2018-03-12 09:35:05" duration=2 policy_id=6 service=dns proto=17 src zone=Trust dst zone=Untrust action=Permit sent=85 rcvd=117 src=10.12.64.71 dst=5.5.5.5 src_port=55968 dst_port=53 src-xlated ip=3.3.3.3 port=55968 dst-xlated ip=2.2.2.2 port=53 session_id=119234 reason=Close - RESP\x00

Sukisen1981 · ‎03-12-2018

what is the rex you are using in spunk right now to capture this?

Sukisen1981 · ‎03-12-2018

when i do this -

|rex field=_raw "reason=(?<reason>.*)" | table reason

I get reason as

reason
Close - RESP\x00

Close - AGE OUT\x00

Close - TCP FIN\x00

Close - TCP RST\x00

Sukisen1981 · ‎03-12-2018

i uploaded your sample in a notepad and run the above... only doubt is what is your source?
spaces / multi spaces after CLOSE can cause this extraction to fail...can you please confirm?

bbsplunklog · ‎03-12-2018

Wonderful! Works like a charm when I use it in the search query.
That is what I missed when I kept using it in the field extraction.
But this should work fine for me.
Thanks for the help

How to extract a field from a Juniper log?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!