Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do you extract multiple substrings from the following events?

atul9771
Engager
‎12-04-2018 03:43 PM

I'm new to splunk.

I have a log event in the following format. The report should capture the Hostname, Agentname and Resource. Also, I'd like to remove the duplicate entries.
[Event] [Hostname] [Date/Time] [ClientIP] [UserDN] [Agentname] [Action] [Resource]
[TransactionID] [Reason] [Status Message] [Impersonator Name] [Impersonator Dir Name]

and log entry example is below

AuthAccept Hostname [03/Dec/2018:17:43:06 -0600] "ClientIP UserDN" "Agentname GET /WMT_Logon/Account/LogOn?ViewFlag=false" [idletime=1800;maxtime=603603054;authlevel=5;] [0]  [] []
CN =    FirstName LastName host =   HostName source =   c:\Program Files (x86)\ca\siteminder\log\smaccess-dotoksm03pv.log sourcetype =  smaccess

I want hostname, Agentname, Resource and Resource in above example is /WMT_Logon/Account/LogOn?ViewFlag=false. But could be different for every event.

I appreciate any help writing this search string. Thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

nagarjuna280
Communicator
‎12-04-2018 06:09 PM

try this

index=* host=* sourcetype = smaccess | rex field=_raw "\w+\s+(?P[^\s]+)([^\]]+)\]\s\"(?P[^\"]+)\"\s\"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^\"]+)\""  
 | table Hostname, Agentname  Resource | dedup Hostname, Agentname  Resource

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

nagarjuna280
Communicator
‎12-04-2018 06:09 PM

try this

index=* host=* sourcetype = smaccess | rex field=_raw "\w+\s+(?P[^\s]+)([^\]]+)\]\s\"(?P[^\"]+)\"\s\"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^\"]+)\""  
 | table Hostname, Agentname  Resource | dedup Hostname, Agentname  Resource
0 Karma
Reply
Solved! Jump to solution

atul9771
Engager
‎12-04-2018 09:44 PM

I figure out the error, Instead of P , you need to put actual field name. here is final syntax. Thanks for your help
(?[^\s]+)([^]]+)]\s\"(?[^\"]+)\"\s\"(?[^\s]+)\s(?[^\s]+)\s(?[^\"]+)

0 Karma
Reply
Solved! Jump to solution

nagarjuna280
Communicator
‎12-04-2018 10:09 PM

this site is hiding some characters, that is why you are not able to see the whole regex (fieldnames),

look at this https://www.regular-expressions.info/refext.html , you can see named capturing groups (3 ways)

0 Karma
Reply
Solved! Jump to solution

atul9771
Engager
‎12-04-2018 07:48 PM

Thanks nagarjuna280 for your answer but I got the following error
Regex: unrecognized character after (?P and error entry in the log file is

12-04-2018 21:43:51.453 ERROR dispatchRunner - RunDispatch::runDispatchThread threw error: Error in 'rex' command: Encountered the following error while compiling the regex '\w+\s+(?P[^\s]+)([^]]+)]\s"(?P[^"]+)"\s"(?P[^\s]+)\s(?P[^\s]+)\s(?P[^"]+)"': Regex: unrecognized character after (?P

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...