Sample Event from Cisco WSA add-on 1542205718.000 379 10.0.0.3 TCP_MISS/301 4241 POST http://test_web.com/page4/d.jpg Zerimski DIRECT/www.xxxxxxx12.com image/gif BLOCK_AMW_RESP_379-Allow_All_iDevices-WebxOnly-NONE-DefaultGroup-DefaultGroup-RoutingPolicy <IW_infr,4.5,-,"-",-,-,-,14,"880F4.dll",379,379,379,"F27634FC0",-,-,"-","-",-,-,IW_infr,"13","-","threat1","Avc_app","Avc_app_category","dbca","err",347.8634,1,[Remote],"-","-",14,"abcd",379,1,"880F4.pdf","72C9206BDE076785C3CEBEF7D8FF1FF3C35B0178BB01A299AFFC7BF35D593B37",-> "Anonymous_Suspect_Vendor" "Mozilla/5.0 (X11; U; Linux arm7tdmi; rv:1.8.1.11) Gecko/20071130 Minimo/0.025" - - Regex (Field Extraction) from Cisco WSA add-on REGEX = (?<timestamp>[0-9.]+)\s+(?<x_elapsed_time>[0-9]+)\s+(?<src_ip>[a-zA-Z0-9:.]*)\s+(?<txn_result_code>[A-Z_]*)\/(?<status>[0-9]*)\s+(?<bytes_in>[0-9]*)\s+(?<http_method>\w*)\s+(?<url>\S*)\s+["|']?(?<user>[^\s"']+)["|']?\s+(?<server_contact_mode>[^\/]+)\/(?<dest>\S*)\s+(?<http_content_type>\S*)\s+(?<acltag>\S*)\s+(?:<|&lt;)(?<x_webcat_code_abbr>[^,]+),(?<wbrs_score>[^,]+),["|']?(?<x_webroot_scanverdict>[0-9]{0,2}|\-|\w+)["|']?,["|']?(?<webroot_threat_name>[^,"']+)["|']?,(?<x_webroot_trr>[^,]+),(?<x_webroot_spyid>[^,]+),(?<x_webroot_trace_id>[^,]+),(?<x_mcafee_scanverdict>[^,]+),["|']?(?<x_mcafee_filename>[^,]+?)["|']?,(?<x_mcafee_scan_error>[^,]+),(?<x_mcafee_detecttype>[^,]+),(?<x_mcafee_av_virustype>[^,]+),["|']?(?<x_mcafee_virus_name>[^,]+?)["|']?,(?<x_sophos_scanverdict>[^,]+),(?<x_sophos_scancode>[^,]+),["|']?(?<x_sophos_file_name>[^,]+?)["|']?,["|']?(?<x_sophos_virus_name>[^,]+?)["|']?,(?<x_ids_verdict>[^,]+),(?<x_icap_verdict>[^,]+),(?<x_webcat_req_code_abbr>[^,]+),["|']?(?<x_webcat_resp_code_abbr>[^,]+?)["|']?,["|']?(?<x_resp_dvs_threat_name>[^,]+?)["|']?,["|']?(?<x_wbrs_threat_type>[^,"']+)["|']?,["|']?(?<x_avc_app>[^,"']+)["|']?,["|']?(?<x_avc_type>[^,"']+)["|']?,["|']?(?<x_avc_behavior>[^,"']+)["|']?,["|']?(?<x_request_rewrite>[^"',]+)["|']?,(?<x_avg_bw>[^,]+),(?<x_bw_throttled>[^,]+),(?<x_user_type>[^,]+),["|']?(?<x_resp_dvs_verdictname>[^,"']+)["|']?,["|']?(?<x_req_dvs_threat_name>[^,"']+)["|']?(,["|']?(?<x_amp_verdict>[^,"']+)["|']?,["|']?(?<x_amp_malware_name>[^"']+)["|']?,(?<x_amp_score>[^,]+),(?<x_amp_upload>[^,]+),["|']?(?<x_amp_filename>[^,]+?)["|']?,["|']?(?<x_amp_sha>[^"',]+)["|']?)?(,["|']?(?<x_file_verdict>[^"',]+)["|']?)?(,(?<x_archive_scan_verdict>[^,]+),["|']?(?<x_archive_scan_verdict_reason>[^"']+)["|']?)?(?:>|&gt;)\s*(?<vendor_suspect_user_agent>-|["|']?[^"']+["|']?)?\s*(?<bytes_out>[0-9]*)?[^\r\n]*$ FE's Works only for Events in Sample Log Format. You can tweak the Regex to match your Events. ... View more

if nothing changed on eventgen Config, it may be that there is no disk or disk full. ... View more

Regex to match full string. Please try this Regex: <[^>]*><[^>]*>.*?\d*.*?<\/[^>]*><\/[^>]*> ... View more

Can you please check Permissions for openldap add-on? Is it Private or Global or App? Please make it Global. ... View more

i assume you have done debug/refresh. Search : index=yourindex sourcetype=ldap modifiersname=* try this search on both the instances. ... View more

Try this to create a field with all texts within the square brackets. | rex "\s*\[(?P<Fieldname>.*?)\]\s*" ... View more

Try this : index=abc sourcetype=xyz | rex "\"(?P<Servername>\w+)\:(?P<Portnumber>\d+)\"" ... View more

I am able to Schedule with this cron job 0 0,1,3-23 * * * in Splunk Version 6.6.4. Can you please provide a screenshot of the error (red mark at cron expression)? ... View more