0

I have a field called "M" and some of the values are as follows:

"Panorama push to device:013101010578 for device-group: Durham_IPV6_INET_SVCS succeeded. JobId=2480530"

"Panorama push to device:007257000068919 for device-group: Azure-China-Internet-North succeeded. JobId=2480524"

"Panorama push to device:016401009013 for device-group: Austin_Experience_Lounge succeeded. JobId=2480530"

How can I extract just the first string in between each "....device-group: *** succeeded. ....", where *** represents the respective value to be extracted. In the case of the above 3 examples, the 3 values extracted are "Durham_IPV6_INET_SVCS", "Azure-China-Internet-North" and "Austin_Experience_Lounge" respectively.

I tried using the following Splunk command but got no success :face_with_rolling_eyes::

|rex "body\s(?<portNumber>\d+)\s"

I appreciate any help on this regex issue. Thanks,

Wiktor Stribiżew
  • 607,720
  • 39
  • 448
  • 563
Patrick O'Rourke
  • 19
  • 9
  • Why do you use `body\s(?\d+)\s`? You are not trying to extract a port number, are you? Try `device-group:\s*(?\S+)\s+succeeded` – Wiktor Stribiżew Sep 23 '22 at 14:35
  • `(?<=device-group: )[\w-]+` using [positive lookbehind](https://stackoverflow.com/a/2973495/8355969) – Carapace Sep 23 '22 at 15:14
  • This worked perfectly. By the way, if I had logs as such: "Client authentication successful PAN-OS ver: 9.1.11-h3 Panorama ver:10.1.6-h3 Client IP: 10.68.196.211 Server IP: 10.58.217.123 Client CN: 013101004861" "Client authentication successful PAN-OS ver: 9.1.11 Panorama ver:10.1.6-h6 Client IP: 10.58.90.53 Server IP: 10.58.90.200 Client CN: 010401005346", How can I extract BOTH the PAN-OS and Panorma ver, i.e,e 9.1.11, 10.1.6-h6, 10.1.6-h3, 9.1.11-h3???? I tried the following but it doesn't work - | rex field=body "[Panorama][PAN-OS]\s*:(?.+?) Client" – Patrick O'Rourke Sep 25 '22 at 21:55
  • Try `PAN-OS\s*ver:\s*(?\S+)\s*Panorama ver:\s*(?\S+)`, see https://regex101.com/r/tEXjZ9/1 – Wiktor Stribiżew Sep 27 '22 at 12:01

1 Answers1

0

At search time, use the rex command to extract the device-group value.

| rex field=M "device-group:\s*(?<deviceGroup>.+?) succeeded"
RichG
  • 9,063
  • 2
  • 18
  • 29
  • Hi, thanks for this answer! This works almost perfectly BUT it fails to pick up instances where the text in between "....device-group:" and "succeeded ...." is made up by a series of words with spaces. Examples include: 1) "Panorama push to device:013101009509 for device-group: Austin Cloud DMZ succeeded. JobId=2484595" where the extracted values should be "Austin Cloud DMZ " 2) "Panorama push to device:013101014290 for device-group: Austin Bank Segmentation succeeded. JobId=2482583" where the extracted values should be "Austin Bank Segmentation" Can you help on extract such case too? – Patrick O'Rourke Sep 25 '22 at 18:25
  • Try my revised answer. – RichG Sep 25 '22 at 18:29