I've got a regex that's working in Regex101's editor, but when I paste it into Splunk I get garbage or no results:
Regex:
^(?:[^ \n]* ){5}\[(?P\w+)(?:\].*\])(?P[^:]+)
Sample entries:
Oct 24 18:43:57 openvpn[36372]: 66.103.224.123:59349 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:59349
Oct 24 18:28:54 openvpn[21337]: 66.103.224.123:50873 [username] Peer Connection Initiated with [AF_INET]66.103.224.123:50873
URL:
https://regex101.com/r/by1mOW/7
↧