Patrick,
Thanks for your help. I don't know how to manually build a regex and because the field names were edited out, I don't know what to make of it. Here is the data I am trying to create a regex for and see below how far along I was able to get with the Splunk builder. Can you assist with that? I appreciate it.
Jan 7 10:34:22 172.20.1.62 Jan 7 14:34:23 DSO-TW-ASA-Prim-SFR SFIMS: [Primary Detection Engine (252a23cc-7196-11e4-8256-c709c2db90d1)][FMPA - Main Policy] Connection Type: End, User: fred, Client: SSL client, Application Protocol: HTTPS, Web App: Unknown, Access Control Rule Name: Malware | URL Monitor, Access Control Rule Action: Allow, Access Control Rule Reasons: Unknown, URL Category: Government, URL Reputation: High risk, URL: https://sharepoint.fmpa.com, Interface Ingress: MPLS-MFN, Interface Egress: RouterNet, Security Zone Ingress: N/A, Security Zone Egress: N/A, Security Intelligence Matching IP: None, Security Intelligence Category: None, Client Version: (null), Number of File Events: 0, Number of IPS Events: 0, TCP Flags: 0x0, NetBIOS Domain: (null), Initiator Packets: 9, Responder Packets: 9, Initiator Bytes: 2457, Responder Bytes: 2974, Context: unknown {TCP} 172.23.3.151:60442 -> 10.0.0.88:443
Regex:
^(?P<Extract_Date>\w+\s+\d+\s+\d+:\d+:\d+)\s+(?P<Host>[^ ]+)\s+(?P<Date>\w+\s+\d+)\s+(?P<Time>[^ ]+)[^:\n]*:\s+(?P<DSO>\[\w+\s+\w+\s+\w+\s+\([a-f0-9]+\-\d+\-[a-f0-9]+\-\d+\-[a-f0-9]+\)\]\[\w+\s+\-\s+\w+\s+\w+\])(?:[^ \n]* ){3}(?P<Connection_Type>[^,]+)[^,\n]*,\s+\w+:\s+(?P<User>[^,]+),\s+\w+:\s+(?P<Client>[^,]+)[^:\n]*:\s+(?P<App_Protocol>\w+)
... View more