I'm using the following regular expression:
(?:"(\d{1,4}\-\d{1,2}\-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2})"|(\d{1,4}\-\d{1,2}\-\d{1,2}\s\d{1,2}:\d{1,2}:\d{1,2}))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s+(?:"([^"]+)"|(\S+))\s*
On the following example log file:
2016-07-28 23:37:32 240144 1.1.1.1 - - - OBSERVED "Social Networking" - 200 TCP_TUNNELED CONNECT - tcp plus.google.com 443 / - - "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.130 Safari/537.36" 1.1.1.1 1135 2522 - "GooglePlus" "none" -
There should be 28 fields in that example log file when date and time are separate fields (I combined them into one field).
With my regular expression, I'm finding that the space in the "cs_categories" field is being used to end the regex match, which doesn't make sense to me since when I try it out on a regex simulator it matches just fine. Example: http://regexr.com/3dtdr
It's obvious that the space in the cs_categories field is somehow throwing off the parser. However, I'm not sure why. I'm not a regex master, so I'm leaning more toward it being a Splunk specific difference in regex engine, but I could be entirely wrong.
I would really appreciate any kind of help.
Thanks.
↧