Solved: Re: Fetch the data from the fields which has 2 wor...

khojas02 · ‎03-30-2020

I have an event as below:

Mar 30 16:59:08 vg1 : %ASA-4-113019: Group = EMPLOYEE, Username = roys86, IP = ...**, Session disconnected. Session Type: SSL, Duration: 7h:18m:21s, Bytes xmt: 408659006, Bytes rcv: 162000348, Reason: User Requested

Now, I would like to fetch the values for the fields Session Type, Duration, Bytes xmt, Bytes rcv, Reason

I would also like to rename some the fields after fetching the data. Thanks in advance!!

woodcock · ‎03-30-2020

Like this:

... | rex "Session\sType:\s*(?<session_type>\S+),\s+Duration:\s*(?<duration>\S+),\s*Bytes xmt:\s*(?<bytes_xmt>\d+),\s*Bytes rcv:\s*(?<bytes_rcv>\d+),\s*Reason:\s*(?<reason>.*)" ...

View solution in original post

woodcock · ‎03-30-2020

Like this:

... | rex "Session\sType:\s*(?<session_type>\S+),\s+Duration:\s*(?<duration>\S+),\s*Bytes xmt:\s*(?<bytes_xmt>\d+),\s*Bytes rcv:\s*(?<bytes_rcv>\d+),\s*Reason:\s*(?<reason>.*)" ...

khojas02 · ‎03-31-2020

Thank you for your response. This has worked for me, however my events got changed now as below:

Mar 31 13:21:29 vg1 : %ASA-4-113019: Group = EMPLOYEE, Username = VAZQUD68, IP = 162.228.72.102, Session disconnected. Session Type: SSL, Duration: 1h:06m:28s, Bytes xmt: 17586992, Bytes rcv: 6595282, Reason: Idle Timeout

Can you help me fetch the valules for Group, Username, IP, Session Type, Duration, Bytes xmt, Bytes rcv, Reason? Also, I would like to fetch "vg1" value that can go into the column name "Host".

Thanks in advance!!

woodcock · ‎03-31-2020

Te pattern in my answer is very easy to extend; give it a try and you will learn something!

Fetch the data from the fields which has 2 words in the field name using regular expression?

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio