Hello,
Attached here the list of roles we have. But my regular expression is showing results of only RSI - VPN Users but not all the other roles.
rex "^[^\)\n]*\)\[(?P\w+\s+\-\s+\w+\s+\w+)]"
Can you please help me here?
Entire Query:
index=juniperindex | rex "(?P\w+\s+\d+)\s+(?P\d+:\d+:\d+)\s?+(?P\d+\.\d+\.\d+\.\d+)\s+(?P\d+-\d+-\d+T\d+:\d+:\d+-\d+:\d+)\s+(?P[[:graph:]]+)\s+\w+:\s+\d+-\d+-\d+\s+\d+:\d+:\d+\s+-\s+\w++\s+-\s+\[(?P\d+\.\d+\.\d+\.\d+)\]\s+(?P\w+)\((?P[[:graph:]]+)\)\[\]\s+-\s+(?P.+)" | rex "^[^\)\n]*\)\[(?P\w+\s+\-\s+\w+\s+\w+)" | rex "^(?:[^'\n]*'){7}(?P\w+)]" | rex "host\s+\'(?P[[:graph:]]+)\'" | rex "address\s+\'(?P[[:graph:]]+)\'" | rex "for\s+user\s+\'(?P[[:alnum:]]+)\'" | rex "reason\s+\'(?P[[:print:]]+)\'" | rex "^(?:[^'\n]*'){2}\s+(?P\w+)" | search status=failed OR status=passed | replace "passed" with successful in status | dedup user_name | table _time IP MAC user_name status user_group
... View more