Splunk Search

Can someone help me with the regex for a field extraction?

Jarohnimo
Builder

Below are clamav logs, I would like to create two new fields.

one called: log_level
one callled: message

log_level would be a capture group where the word "WARNING:" is. Sometimes this word will be ERROR or INFO, it's contingent
message would be a capture group where: "Can't open file /etc/rsyslog.conf.broken: Permission denied"

Moreso than the answer i'd like understanding of the reg ex so In your answer if you could please break down the reg ex so i can learn i'd truly appreciate it.

-------------------------------------------------------------------------------

 WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200021_ow7PXV: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200026_aPhSxB: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1532.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1695.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1517.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1727.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1526.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1770.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1513.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1686.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1636.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1698.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1785.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1617.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1742.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1519.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1708.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1531.log: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200003_aWcbM9: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200007_cPewso: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200001_02GigF: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200037_PR0YIo: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied
 WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied
 WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200028_4tocVD: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied
 WARNING: Can't open file /opt/splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm: Permission denied

 ----------- SCAN SUMMARY -----------
 Known viruses: 5995098
 Engine version: 0.99.2
 Scanned directories: 6366
 Scanned files: 41938
 Infected files: 0
 Total errors: 83
 Data scanned: 3329.70 MB
 Data read: 4610.58 MB (ratio 0.72:1)
 Time: 4296.029 sec (71 m 36 s)

 -------------------------------------------------------------------------------

 WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200001_n3Udh3: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200046_tG4INP: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200071_HSWmZ6: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1532.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1695.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1517.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1594.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1595.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1580.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1526.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1513.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1686.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1589.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1636.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1698.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1617.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1604.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1584.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1519.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1708.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1531.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1608.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1610.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1598.log: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200028_dJudKj: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200012_QHbp0P: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200003_3gLmvy: Permission denied
 WARNING: Can't open file /tmp/tmp.z1NhS7Cf1p: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200016_ZuL9m4: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200048_CG4mxR: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200037_FH62Pc: Permission denied
 WARNING: Can't open file /tmp/tmp.a9xsZutIWq: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied
 WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied
 WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200051_5IDsNl: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200049_70bzRj: Permission denied
 WARNING: Can't open file /tmp/tmp.E4AJCzpOIr: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200007_R3pBFi: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied
 WARNING: Can't open file /tmp/tmp.nEx5K1P19V: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied
 WARNING: Can't open file /tmp/tmp.3xu23Z8tDj: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied
 WARNING: Can't open file /opt/splunk-6.4.0-f2c836328108-linux-2.6-x86_64.rpm: Permission denied

 ----------- SCAN SUMMARY -----------
 Known viruses: 6319346
 Engine version: 0.99.2
 Scanned directories: 7233
 Scanned files: 45947
 Infected files: 0
 Total errors: 100
 Data scanned: 3594.28 MB
 Data read: 4821.47 MB (ratio 0.75:1)
 Time: 485.906 sec (8 m 5 s)

 -------------------------------------------------------------------------------

 WARNING: Can't open file /etc/rsyslog.conf.broken: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200048_SKap8h: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_buu1Z0: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_P1SWCK: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_pD4Mt4: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200071_e3US5K: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200021_IfCsp4: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600429_vx2xUp: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_QYox3k: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200046_tG4INP: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_0fEYYI: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600101_tfBE1x: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1587.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1599.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1594.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1595.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1602.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1580.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1593.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1592.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1566.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1578.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1611.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1588.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1607.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1605.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1589.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1603.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1583.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1596.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1606.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1604.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1584.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1582.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1620.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1585.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1623.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1590.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1577.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1608.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1610.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1598.log: Permission denied
 WARNING: Can't open file /tmp/vmware-root/vmware-apploader-1591.log: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_Myl0Qe: Permission denied
 WARNING: Can't open file /tmp/tmp.0qPyyvkhIw: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_Y8YTvr: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_Svzf6O: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_QvgHg4: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200028_dJudKj: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_eBGT5M: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200012_QHbp0P: Permission denied
 WARNING: Can't open file /tmp/tmp.z1NhS7Cf1p: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600099_vJnQRX: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200019_1cSMBo: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200065_NZfYE4: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200037_FH62Pc: Permission denied
 WARNING: Can't open file /tmp/tmp.a9xsZutIWq: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200003_Ysuwzs: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_RvJuPw: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600106_bhzQNt: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_BHjkuK: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_8rXTya: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600286_wkk2hw: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200030_n0sXYf: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200001_VezxBM: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_egUWcm: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_SER8kV: Permission denied
 WARNING: Can't open file /tmp/tmp.XIvDgFrUAn: Permission denied
 WARNING: Can't open file /tmp/EPEL6-GPG-KEY: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200013_qujiN0: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_g40tLJ: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200049_zrBoRF: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600427_BuOUej: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200051_5uiGLr: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_OpGADN: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_jbilyY: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888700729_110ApX: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200047_iM0nZM: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600042_em0uAD: Permission denied
 WARNING: Can't open file /tmp/tmp.E4AJCzpOIr: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200007_R3pBFi: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_qjdnTq: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200016_7hh0tc: Permission denied
 WARNING: Can't open file /tmp/tmp.nEx5K1P19V: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600043_Pyb8Hf: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200062_Y3tkcC: Permission denied
 WARNING: Can't open file /tmp/tmp.3xu23Z8tDj: Permission denied
 WARNING: Can't open file /tmp/tmp.KgPSpEWZwR: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600111_CtZB8x: Permission denied
 WARNING: Can't open file /tmp/krb5cc_888600038_HpqDys: Permission denied
 WARNING: Can't open file /tmp/krb5cc_1846200067_xWpi42: Permission denied

 ----------- SCAN SUMMARY -----------
 Known viruses: 6319470
 Engine version: 0.99.4
 Scanned directories: 8003
 Scanned files: 47590
 Infected files: 0
 Total errors: 105
 Data scanned: 4118.82 MB
 Data read: 5005.36 MB (ratio 0.82:1)
 Time: 556.020 sec (9 m 16 s)
Tags (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Check out the ClamAV TA (https://splunkbase.splunk.com/app/3619/). It should do the fields extractions for you.

This regex should do the job. It looks for one of the log levels and extracts it into the 'log_level' field then takes everything after the following colon and puts it in the 'message' field.

(?<log_level>WARNING|ERROR|INFO): (?<message>.*)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...