topic Re: Cisco ice parse fields problem in Knowledge Management

Cisco ice parse fields problem

Dmitriy — Wed, 11 Aug 2021 12:07:24 GMT

Hello!
We have index with cisco events and now we need to parse some fields such as device_mac and device_name. But we can't do it by regex because we get unstructured data from cisco (fields are swapped).

For example in this log first there is device type, and after mac

And the next one comes first mac, and after device type

Could you please help me? How i can parse this fields?

Thanks!

Re: Cisco ice parse fields problem

ITWhisperer — Wed, 11 Aug 2021 12:47:17 GMT

Use two rex commands

| rex "device-type=(?<devicetype>[^,]+)" | rex "device-mac=(?<devicemac>[^,]+)"

Re: Cisco ice parse fields problem

Dmitriy — Wed, 11 Aug 2021 12:53:01 GMT

Could you please explane wrehe i need to use this command?

Re: Cisco ice parse fields problem

ITWhisperer — Wed, 11 Aug 2021 12:54:51 GMT

In your SPL search query.

Re: Cisco ice parse fields problem

richgalloway — Wed, 11 Aug 2021 13:01:25 GMT

Unless I'm missing something, the fields are labeled so parsing is trivial. KV_MODE=auto should do it at index-time. Or use a separate EXTRACT statement in props.conf for each field. Or use a separate rex command for each field in SPL.

Re: Cisco ice parse fields problem

Dmitriy — Wed, 11 Aug 2021 13:02:49 GMT

Thanks!

But i have one more question

How i can save this fields to not in search rex commands? I mean how to auto extract this to fields witout rex commad.

Re: Cisco ice parse fields problem

Dmitriy — Wed, 11 Aug 2021 13:17:22 GMT

Can I use this command in source type? Or maybe another command

Re: Cisco ice parse fields problem

Dmitriy — Wed, 11 Aug 2021 13:30:57 GMT

Could you please give extract syntax to add device-type and device-mac to props.conf

Re: Cisco ice parse fields problem

richgalloway — Wed, 11 Aug 2021 15:59:46 GMT

EXTRACT-mac = device-mac=(?<deviceMac>[^,]+) EXTRACT-type = device-type=(?<deviceType>[^,]+)