Field Extraction via Regex

raimondo_massar · ‎01-15-2013

Hi
I would like to list below logline in 4 parts and I'm not sure how to do it in with Regex. The automatic field extractor does not work. Any suggestion on how to write the right regex.

Field1  Field2              Field3                                 Field4
[AUDIT] [USER_AUTH_SUCCESS] Authentication successfully completed. User: 'Test'

This is an extract out of the field extractor which is not working:

?:[^[n][){3}(?P<fieldname1>[^]]+)[^ n] [(?P<fieldname2>[^]]+)](?P<fieldname3>s+w+s+w+s+w+.)^(?P<fieldname4>s+w+:)

jonuwz · ‎01-15-2013

In that case feel free to accept the answer below. Thanks

raimondo_massar · ‎01-15-2013

Perfect ..it works. thanks very much for your help !

jonuwz · ‎01-15-2013

Here you go :

* | head 1 
| eval message="[AUDIT] [USER_AUTH_SUCCESS] Authentication successfully completed. User: 'Test'"
| table message 
| rex field=message "\[(?<field1>[^]]+)\] \[(?<field2>[^]]+)\] (?<field3>.*)\s+User: '(?<field4>.*?)'"

Everything between the two " on the last line is the regex you need to extract the fields

i.e.

\[(?<field1>[^]]+)\] \[(?<field2>[^]]+)\] (?<field3>.*)\s+User: '(?<field4>.*?)'

raimondo_massar · ‎01-15-2013

it's always information about the user

jonuwz · ‎01-15-2013

Where does Field4 start ? is it

after a '.'

or

it it always information about the user ?

Field Extraction via Regex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!