Right, so I've fiddled a bit with the parser using your example raw log

The fix I made to make it parse the above log was on row 184 (regex for NETSCALER-SSLVPN-LOGOUT)

<when test="$eventType = 'NETSCALER-SSLVPN-LOGOUT'">

The regex looking for Total_compressedbytes_send & Total_compressedbytes_recv differs slightly from your logs, as in the parser, those fields are looked for with bytes having a capital B

For brevity:

Original regex

<collectAndSetAttrByRegex src="$_body"><regex><![CDATA[User <user:gPatStr> - Client_ip <hostIpAddr:gPatIpAddr> - Nat_ip (?:<postNATSrcIpAddr:gPatIpAddr>|"<:patStrEndQuote>"|<:gPatStr>) - Vserver <hostName:gPatStrEndColon>:<ipPort:gPatInt> - Start_time "<:patStrEndQuote>" - End_time "<:patStrEndQuote>" - Duration <durationMSec:gPatStr> - Http_resources_accessed <httpTotalAccesses:gPatStr> - NonHttp_services_accessed <:gPatStr> - Total_TCP_connections <:gPatInt> - Total_UDP_flows <:gPatInt> - Total_policies_allowed <:gPatInt> - Total_policies_denied <:gPatInt> - Total_bytes_send <sentBytes64:gPatInt> - Total_bytes_recv <recvBytes64:gPatInt> - Total_compressedBytes_send <:gPatInt> - Total_compressedBytes_recv <:gPatInt> - Compression_ratio_send <:gPatStr> - Compression_ratio_recv <:gPatStr> - LogoutMethod "<:patStrEndQuote>" - Group\(s\) "<userGrp:patStrEndQuote>"]]></regex></collectAndSetAttrByRegex>

And what you should change it to

<collectAndSetAttrByRegex src="$_body"><regex><![CDATA[User <user:gPatStr> - Client_ip <hostIpAddr:gPatIpAddr> - Nat_ip (?:<postNATSrcIpAddr:gPatIpAddr>|"<:patStrEndQuote>"|<:gPatStr>) - Vserver <hostName:gPatStrEndColon>:<ipPort:gPatInt> - Start_time "<:patStrEndQuote>" - End_time "<:patStrEndQuote>" - Duration <durationMSec:gPatStr> - Http_resources_accessed <httpTotalAccesses:gPatStr> - NonHttp_services_accessed <:gPatStr> - Total_TCP_connections <:gPatInt> - Total_UDP_flows <:gPatInt> - Total_policies_allowed <:gPatInt> - Total_policies_denied <:gPatInt> - Total_bytes_send <sentBytes64:gPatInt> - Total_bytes_recv <recvBytes64:gPatInt> - Total_compressedbytes_send <:gPatInt> - Total_compressedbytes_recv <:gPatInt> - Compression_ratio_send <:gPatStr> - Compression_ratio_recv <:gPatStr> - LogoutMethod "<:patStrEndQuote>" - Group\(s\) "<userGrp:patStrEndQuote>"]]></regex></collectAndSetAttrByRegex>

Hope this works for you! 

@nisse 

Thank you for reply. I anonymised the name and ip and shared the log and it worked in this log, but I got the same error on the real log.  We can think of the name as Nisse, John. Userroot did not give an error, perhaps because it hit the field within itself

Hi @Rob_SIEM 

I'm actually having a problem with eventType = 'NETSCALER-SSLVPN-LOGOUT for the moment. It gives an error in this field in a real name. Since the events do not come as unknown, it is not possible to check all events.

Can you describe the error, you are saying certain usernames are not parsing correctly to the user field, but some are? 

You can run an aggregate report to check in analytics:

Event Type = NETSCALER-SSLVPN-LOGOUT

Then click the hamburger menu for the display/aggregate columns, remove event receive time/raw event and all other columns except for the following. Then add a row for user, and one more row for count(matched events) and click run.

This will show the format of all users for that specific event type. Are there unusual formats to those users such as whitespace or '-' in the names? 

Thanks,

To explain exactly, I shared a sample log above, this is my real log, I anonymised the ip and names in it and in this way I did not have a problem in the parser, but I got the same error with real values.When I check the logs, it does not come unknown, but it does not seem to parse information such as user and duration.

Got it, I'm able to replicate, we will review and fix the parser.

Thanks!