I have the event as below:
Mar 31 13:21:29 vg1 : %ASA-4-113019: Group = EMPLOYEE, Username = VAZQUD68, IP = ...*, Session disconnected. Session Type: SSL, Duration: 1h:06m:28s, Bytes xmt: 17586992, Bytes rcv: 6595282, Reason: Idle Timeout
Now, I would like to fetch the value "vg1" in the column named "Host" and apart from that I would like to fetch the values for Group, Username, IP, Session Type, Duration, Bytes xmt, Bytes rcv, Reason.
Any help would be appreciated. Thanks in advance!!
| makeresults
| eval _raw="Mar 31 13:21:29 vg1 : %ASA-4-113019: Group = EMPLOYEE, Username = VAZQUD68, IP = ...*, Session disconnected. Session Type: SSL, Duration: 1h:06m:28s, Bytes xmt: 17586992, Bytes rcv: 6595282, Reason: Idle Timeout"
| rex "(?<timestamp>\w+ \d\d [\d:]+) (?<Host>\S+).*Duration: (?<Duration>\S+),"
| extract pairdelim=",." kvdelim="=:"
This rex
command will parse your example event.
| rex "(?<Host>\w+) : [^:]+: Group = (?<Group>[^,]+), Username = (?<Username>[^,]+), IP = (?<IP>[^,]+), .*? Session Type: (?<SessionType>[^,]+), Duration: (?<Duration>[^,]+), Bytes xmt: (?<xmt>[^,]+), Bytes rcv: (?<rcv>[^,]+), Reason: (?<Reason>.*)"
| makeresults
| eval _raw="Mar 31 13:21:29 vg1 : %ASA-4-113019: Group = EMPLOYEE, Username = VAZQUD68, IP = ...*, Session disconnected. Session Type: SSL, Duration: 1h:06m:28s, Bytes xmt: 17586992, Bytes rcv: 6595282, Reason: Idle Timeout"
| rex "(?<timestamp>\w+ \d\d [\d:]+) (?<Host>\S+).*Duration: (?<Duration>\S+),"
| extract pairdelim=",." kvdelim="=:"
Thank you for your response. This has worked for me.
My requirement has changed now. I have 3 types of events as below:
Apr 2 11:35:28 vg1 : %ASA-4-113019: Group = EMPLOYEE, Username = karrc03, IP = ..., **Session disconnected. Session Type: SSL, Duration: 2h:15m:12s, Bytes xmt: 59389646, Bytes rcv: 14229526, Reason: Idle Timeout
Apr 2 11:35:23 vg1 : %ASA-4-722051: Group User IP <...> IPv4 Address <...> IPv6 address <::> **assigned to session*
Apr 2 11:03:47 vg2 : %ASA-4-113005: AAA user authentication Rejected : reason = Invalid password : server = ...* : user = SHAFED61 : user IP = .*..*
Now, I would like to fetch the events based on the values: Session disconnected, assigned to session, and Rejected in the separate column "EventType" by user
Your help would be appreciated. Thanks in advance
https://splunkbase.splunk.com/app/1620/
I don't use cisco product. I haven't try this.