topic Re: Extract strings preceded by specific characters, find only the first match per event. in Splunk Search

Extract strings preceded by specific characters, find only the first match per event.

christopheryu — Tue, 29 Sep 2020 17:17:48 GMT

Sorry, this is more of a regex question but can't figure it out myself. I would like to extract a string preceded by the specific characters "Leg x Seg" where x can be any number. The strings to be extracted can have alpha numeric, dots, or underscore characters. Also, find only the first extraction match so there are no duplicate values per log. So from the single event log example below, the strings I'm looking to extract are:

S3R.VPLS92966
EDBK766V0001
P125018_NNI_QBKW5ZP
EDBK49MH0001

Event:
Summary Leg 3 Seg S3R.VPLS92966 Site PBY CNGHDR JuniperJUNIPER_MX SLOT 3 CARD 2 PORT 0 TAGTYPE vlan TAG 22 STACKINGMODE none Leg 3 Seg S3R.VPLS92966 Site PBY GNBRD9 FujitsuFujitsu9500 SHELF 1 SLOT 1 PORT 1 TAGTYPE vlan TAG 22 STACKINGMODE none Leg 2 Seg EDBK766V0001 Site PBY GNBRD9 FujitsuFujitsu9500 SHELF 1 SLOT 14 PORT 15 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 2 Seg EDBK766V0001 Site XTRILEC228PHLAPALO XTRILEC 228 PHLAPALO virtualswitchVirtualSeries SLOT 1 PORT 15 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 2 Seg EDBK766V0001 Site XTRILEC228PHLAPALO XTRILEC 228 PHLAPALO Leg 1 Seg P125018_NNI_QBKW5ZP Site XTRILEC228DWTWPADT XTRILEC 228 DWTWPADT virtualswitchVirtualSeries SLOT 1 PORT 4 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 1 Seg P125018_NNI_QBKW5ZP Site XTRILEC228DWTWPADT XTRILEC 228 DWTWPADT Leg 1 Seg P125018_NNI_QBKW5ZP Site C0LUMB P125018 OvertureOVERTURE_ISG SLOT 0 PORT 4 TAGTYPE vlan TAG 49 STACKINGMODE none Leg 0 Seg EDBK49MH0001 Site C0LUMB P125018 OvertureOVERTURE_ISG SLOT 0 PORT 1 TAGTYPE transparent TAG 0 STACKINGMODE none Leg 0 Seg EDBK49MH0001 Leg 1 Seg P125018_NNI_QBKW5ZP Leg 2 Seg EDBK766V0001 Leg 3 Seg S3R.VPLS92966

Thank you in advance!

Re: Extract strings preceded by specific characters, find only the first match per event.

christopheryu — Tue, 29 Sep 2020 17:17:50 GMT

In addition, I would be counting the total number of each extracted string from a set of logs so not sure if the strings should be extracted as a single field? Illustration below:

event log 1 extracted strings:
S3R.VPLS92966
EDBK766V0001
P125018_NNI_QBKW5ZP
EDBK49MH0001

event log 2 extracted strings:
S3R.VPLS92966
BDEDBK76V00
P125018_NNI_QBKW5ZP

event log 3 extracted strings:
BDEDBK76V00
P125018_NNI_QBKW5ZP
EDBK49MH0001

Desired result:

string count
S3R.VPLS92966 2
EDBK766V0001 1
P125018_NNI_QBKW5ZP 3
EDBK49MH0001 2
BDEDBK76V00 2

Re: Extract strings preceded by specific characters, find only the first match per event.

mayurr98 — Fri, 15 Dec 2017 20:28:08 GMT

Hey

Try this

index=your_index | field=_raw “Seg\s(?P<seg>[^\s]*)”

Let me know if this helps!

Re: Extract strings preceded by specific characters, find only the first match per event.

woodcock — Sat, 16 Dec 2017 23:19:40 GMT

Like this:

| makeresults
| eval _raw="Summary Leg 3 Seg S3R.VPLS92966 Site PBY CNGHDR JuniperJUNIPER_MX SLOT 3 CARD 2 PORT 0 TAGTYPE vlan TAG 22 STACKINGMODE none Leg 3 Seg S3R.VPLS92966 Site PBY GNBRD9 FujitsuFujitsu9500 SHELF 1 SLOT 1 PORT 1 TAGTYPE vlan TAG 22 STACKINGMODE none Leg 2 Seg EDBK766V0001 Site PBY GNBRD9 FujitsuFujitsu9500 SHELF 1 SLOT 14 PORT 15 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 2 Seg EDBK766V0001 Site XTRILEC228PHLAPALO XTRILEC 228 PHLAPALO virtualswitchVirtualSeries SLOT 1 PORT 15 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 2 Seg EDBK766V0001 Site XTRILEC228PHLAPALO XTRILEC 228 PHLAPALO Leg 1 Seg P125018_NNI_QBKW5ZP Site XTRILEC228DWTWPADT XTRILEC 228 DWTWPADT virtualswitchVirtualSeries SLOT 1 PORT 4 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 1 Seg P125018_NNI_QBKW5ZP Site XTRILEC228DWTWPADT XTRILEC 228 DWTWPADT Leg 1 Seg P125018_NNI_QBKW5ZP Site C0LUMB P125018 OvertureOVERTURE_ISG SLOT 0 PORT 4 TAGTYPE vlan TAG 49 STACKINGMODE none Leg 0 Seg EDBK49MH0001 Site C0LUMB P125018 OvertureOVERTURE_ISG SLOT 0 PORT 1 TAGTYPE transparent TAG 0 STACKINGMODE none Leg 0 Seg EDBK49MH0001 Leg 1 Seg P125018_NNI_QBKW5ZP Leg 2 Seg EDBK766V0001 Leg 3 Seg S3R.VPLS92966"
| rex max_match=0 "Leg\s+\d+\s+Seg\s+(?<NewField>\S+)"
| eval NewField=mvdedup(NewField)

Re: Extract strings preceded by specific characters, find only the first match per event.

Esky73 — Sun, 17 Dec 2017 22:53:51 GMT

And then add the following - for number of Ocurrences ..

| mvexpand NewField | stats count as Occurences by NewField