Extracting 5 fields from logfile containing a string in Splunk

Question

Below is a sample log file data:

08/22/2018 02:50:06.380 EDT-0400 2 TCP/IP Controller Plugin.Transmitter pool thread <Regular:2>.CybTargetHandlerChannel.call[:695] - Message has been sent: 20180822 02500636+0400 C7STA PLINUX03 ALOPMTA2.N01834/LO.S00001D182340248/MAIN State EXEC SetStart Status(Executing at PLINUX03) Jobno(34523) ChildPid(34527)  User(PLINUX03) Host(localhost)
08/22/2018 02:50:06.382 EDT-0400 5 TCP/IP Controller Plugin.Transmitter pool thread <Regular:2>.CybTargetHandlerChannelLogHelper.logConnectionClose[:133] - Conversation with C7STA closed
08/22/2018 02:51:21.761 EDT-0400 5 TCP/IP Controller Plugin.Transmitter pool thread <Regular:1>.CybTargetHandlerChannel.call[:666] - Attempting to send:    20180822 02512176+0400 C7STA PLINUX03 ALOECPC7.N01745/LO.S00002D182340242/MAIN State COMPLETE Cmpc(0) SetEnd  User(PLINUX03) Host(localhost)
08/22/2018 02:51:21.771 EDT-0400 2 TCP/IP Controller Plugin.Transmitter pool thread <Regular:1>.CybTargetHandlerChannel.call[:695] - Message has been sent: 20180822 02512176+0400 C7STA PLINUX03 ALOECPC7.N01745/LO.S00002D182340242/MAIN State COMPLETE Cmpc(0) SetEnd  User(PLINUX03) Host(localhost)

I was trying to extract five fields below from the first and fourth line which contains "Message has been sent":

1. TimeStamps: 20180822 02500636+0400, 20180822 02512176+0400
2. JobNames : ALOPMTA2,ALOECPC7
3. JobNumbers : 01834,1745
4. Users : User(PLINUX03), User(PLINUX03)
5. Statuses : MAIN State EXEC SetStart, MAIN State COMPLETE

I was able to filter lines containing "Message has been sent:" using below expression, but was not sure on extracting 5 fields from this line:

^.*\b(Message has been sent:.)\b.*$

Can someone help? This is for extraction on Splunk. Thank you!

Answer 1

I suggest you this regex :

Message has been sent: (?<timestamp>\d{8}\s\d{8}\+\d{4})\s\w+\s\w+\s(?<jobname>\w+)\.N(?<jobnumber>\d+)\/[^\/]+\/(?<statuses>(\w+\s)+)\w+\(.+User\((?<user>\w+)\)

• Group 'timestamp' (\d{8}\s\d{8}\+\d{4}) : matches the timestamps
• Group 'jobname' \s(\w+)\.N : matches the jobs names
• Group 'jobnumber' \.N(\d+)\/ : matches the jobs numbers
• Group 'statuses' ((\w+\s)+) : matches the statuses
• Group 'user' User\((\w+)\) : matches the users

You can see an example here with the data you provided : https://regex101.com/r/G6GD46/4

Do not hesitate to play with this example to get the result you need.

Tell me if you need more explanation for these regexs'.

Edit: as suggested by @RichG in the comments, I've added named groups to allow Splunk to extract groups as variables.