Hi, I'm sure this is really simple but I've been unable to figure out the exact regex to capture the hostname value from the event logs.
Sample data:
May 29 14:51:56 deast01pano.xxxxx.com 1,2018/05/29 14:51:56,012501001022,6553964590112973819,0x8000000000000000,USERID,login,2049,2018/05/29 14:51:50,0,0,0,0,vsys1,dwest01fw,1,vsys1,10.142.10.172,xxxxx\pulse,deast01fwua.xxxxx.com,0,1,2700,0,0,agent,,0,0,,2018/05/29 14:51:47,1,0,0,0x0,xxxxx\pulse
I want to capture dwest01fw and replace it in the host field. I tried this regex and tested in regex101.com but it failed to capture the host .
USERID,.+,vsys1,(\w+).+$
Transform syntax :
[pan_vsys1_host]
REGEX = USERID,.+,vsys1,(\w+).+$
DEST_KEY = MetaData:Host
FORMAT = host::$1
Kindly guide me on this.
Give this a try
[pan_vsys1_host]
REGEX = USERID,([^,]+,){8}(\w+)
DEST_KEY = MetaData:Host
FORMAT = host::$2
hey the above regex capture both vsys1,dwest01fw , need a regex to capture only this value dwest01fw from the event data.
Sample data:
May 29 14:51:56 deast01pano.xxxxx.com 1,2018/05/29 14:51:56,012501001022,6553964590112973819,0x8000000000000000,USERID,login,2049,2018/05/29 14:51:50,0,0,0,0,vsys1,dwest01fw,1,vsys1,10.142.10.172,xxxxx\pulse,deast01fwua.xxxxx.com,0,1,2700,0,0,agent,,0,0,,2018/05/29 14:51:47,1,0,0,0x0,xxxxx\pulse
Hey, what @somesoni2 posted will work fine. The first capture group captures the vsys1
, the second one captures the dwest01fw
, but only the second one is then used in the FORMAT line.
You could also use this:
https://regex101.com/r/6U1pkt/1
You would have to use $1 in the FORMAT line. Both solutions should work fine.