Refine your search:

Regex data from its position in string?

0

Hi,

I have just installed Splunk as want to get some reports out of a Barracuda Spam firewall we have installed that sends all data to a syslog server. I have installed Splunk on the same machine as syslog so getting the file imported was easy.

The problem I am having is with trying to extract fields from the data as I can't seem to 'teach' the system the correct regex.

The following is an example line from syslog (anonomiyzed obviously):

Sep 24 15:34:59 192.168.0.1 inbound/pass1[26165]: 114-38-48-47.dynamic.hinet.net[114.38.48.47] 1285338898-663591fe0001-1ljPNx 1285338898 1285338899 RECV sender@domain.com receiver@domain.com 2 62 114.38.48.47

The data can be totally different which is why Splunk seems to have a problem with it, but the data is always in the same order:

Timestamp:  Sep 24 15:34:59
Host:  192.168.0.1
Process:  inbound/pass1[26165]:
Sender:  114-38-48-47.dynamic.hinet.net[114.38.48.47]
MessageID:  1285338898-663591fe0001-1ljPNx
StartTime:  1285338898
EndTime:  1285338899
Service:  RECV
From:  sender@domain.com
To:  receiver@domain.com
ActionCode:  2
ReasonCode:  62
SenderIP:  114.38.48.47

It was all going well until I got to the ActionCode!

There is always whitespace between the 'parts' so am sure it is just a matter of getting the regex correct but am struggling.

Would appreciate some help.

Thanks.

Pete.

asked 24 Sep '10, 14:46

pshankland's gravatar image

pshankland
11
accept rate: 0%

Can you post the regex you tried?

(24 Sep '10, 15:26) christopherutz

Does it always log a single To address, or can you have multiple entries?

(24 Sep '10, 17:59) southeringtonp ♦
2 Answers:
oldestnewestmost voted
0 
\w+ \d+ \d{2}:\d{2}:\d{2} (?<host>[0-9.]+)\s+(?<process>\S+)\s+(?<sender>\S+)\s+(?<msgid>\S+)\s+(?<starttime>\d+)\s+(?<endtime>\d+)\s+(?<service>\S+)\s+(?<from>\S+)\s+(?<to>\S+)\s+(?<actioncode>\S+)\s+(?<reasoncode>\S+)\s+(?<senderip>[0-9.]+)
link

answered 24 Sep '10, 17:43

twinspop's gravatar image

twinspop
5403432
accept rate: 45%

0

Thanks for the replies.

Just to explain what I am trying...

I am in the Search window and then click next to one of the entries and select "Extract Fields". I have then highlighted the bit I want to extract and dragged it into the Example Values box. Finally, I have then gone through deleting the sample extractions that were wrong.

A pattern never correctly generates as the figures are so small, this is why I thought RegEx would be the correct way to look at the issue.

Twinspop - could you let me know where I should be using the regex as assumed it would have been when extracting but that just failed :)

Thanks.

link

answered 28 Sep '10, 16:07

pshankland's gravatar image

pshankland
11
accept rate: 0%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×458

Asked: 24 Sep '10, 14:46

Seen: 1,326 times

Last updated: 01 Apr '11, 01:22

Related questions

Regex to select string from raw data

removing last two characters from results

Regex question extracting user from webserver log

creating a _masheddate3 in datetime.xml

REGEX to collect all data after final closing bracket

Using regex to extract domain from delimited email recipients, and then count them

regex help

Regex for SAR data in UNIX

How to copy/paste a regex into splunk

Copyright © 2005-2012 Splunk Inc. All rights reserved.