I have this raw data:
May 20 09:11:09 172.16.20.111 May 20 2013 09:11:09: %ASA-4-113019: Group = AC-Users, Username = <Unknown>, IP = 10.20.50.67, Session disconnected. Session Type: AnyConnect-Parent, Duration: 0h:05m:03s, Bytes xmt: 0, Bytes rcv: 0, Reason: User Requested
But when I attempt to extract out:
I tried like this:
(?i)\-Parent, (?P<AC-Users_Duration>[^,]+)
Any help is appreciated.
You should be able to grab them like this:
Username = (?<username>[^,]+)
IP = (?<ip>[^,]+)
Duration: (?<duration>[^,]+)
You should be able to grab them like this:
Username = (?<username>[^,]+)
IP = (?<ip>[^,]+)
Duration: (?<duration>[^,]+)
Put four spaces in front of the line to get it to show as-is in a grey box like in my answer. Within a line, you can escape characters with a single backslash in front of them.
how do you guys get the brackets and backslashes to show up in splunk base?
I think I got it. Thanks martin_mueller
That regex does not add up with the sample logs you provided in your question.
So as martin_mueller so nicely described them - put this in your props.conf:
[your sourcetype]
EXTRACT-user = Username\s+=\s+(?<user>[^,]+)
EXTRACT-duration = Duration:\s+(?<dur>[^,]+)
Hope this helps,
/k
I tried with Duration, but it does not work, does not even show up.
The Username and IP it tries to classify them as a similar extracted field:
EXTRACT-Portal_User (?i) User <(?P<Portal_User>[^>]+)
EXTRACT-Portal_IP : (?i) IP <(?P<Portal_IP>[^>]+)
Does it have anything to do with the hyphen in the extraction field name?
Tried with this:
(?i)\-Users, Username = (?P<AnyConnectVPN_Users>[^,]+)
And it produced a proper