https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472504#M132965 <P>Hi Marcin,<BR /> if this answer solves your problem, please accept and/or upvote it</P> <P>Ciao and next time!<BR /> Giuseppe</P> Thu, 31 Oct 2019 14:19:36 GMT gcusello 2019-10-31T14:19:36Z https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472497#M132958 <P>Hi Team </P> <P>I need to filter logs to catch switches port numbers. I use Splunk Cloud, my expression: </P> <PRE><CODE>\beth\d*(?:-\d+)*(?:/\d+(?:\.\d+)?)?\b </CODE></PRE> <P>How to create named field?</P> <P>Many Thanks</P> Thu, 31 Oct 2019 07:56:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472497#M132958 dabroma5 2019-10-31T07:56:04Z https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472498#M132959 <P>Hi dabroma5,<BR /> you can create a field using rex command ( <A href="https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/Rex">https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/Rex</A> <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> <PRE><CODE>| rex "\beth\d*(?&lt;field1&gt;\d+)" </CODE></PRE> <P>I cannot be more precise without an example and the indication of what values you want to extract in fields.</P> <P>P.S.: to display regexes use the Code Sample button.</P> <P>Ciao.<BR /> Giuseppe</P> Thu, 31 Oct 2019 11:56:51 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472498#M132959 gcusello 2019-10-31T11:56:51Z https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472499#M132960 <P>I wasn't enough specific. Below is part of my log:</P> <P>{"info":{"seqno":0,"evtType":1,"oTime":null,"links":null,"id":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","origin":null,"relations":[],"details":"","severity":5,"time":1569918148265,"headId":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","sa":2},"desc":{"alertId":{"desc":"The network port is down","label":"Link down"},"pointId":[{"desc":"Type: openflow\nIP: a.b.c.d","label":"device_name [a.b.c.d]"},{"desc":"","label":""},{"desc":"Network Interfaces","label":""},{"desc":"","label":"eth-0-36"}]},"id":{"alertId":"16","component":1,"pointId":["a-b-c-d","dev","1","36"]}}</P> <P>Port notation can be different depends on the device:<BR /> Eth1/1.2; Eth1/2.500; eth-0-19/4; eth-0-4; Eth1/4</P> <P>How to create named field to present information in a table.</P> Thu, 31 Oct 2019 13:46:09 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472499#M132960 dabroma5 2019-10-31T13:46:09Z https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472500#M132961 <P>Hi dabroma5,<BR /> If all your ports are called Eth or eth, try this:</P> <PRE><CODE>| rex "(?&lt;port&gt;(Eth|eth)[^\"]*)" </CODE></PRE> <P>You can test it at <A href="https://regex101.com/r/nE5Zjt/1">https://regex101.com/r/nE5Zjt/1</A></P> <P>Ciao.<BR /> Giuseppe</P> Thu, 31 Oct 2019 13:47:45 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472500#M132961 gcusello 2019-10-31T13:47:45Z https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472501#M132962 <P>Hi Giuseppe,</P> <P>Works partially, on below notification I am receiving <STRONG>Ethernet Module</STRONG> instead of <STRONG>Eth1/18</STRONG></P> <P>{"info":{"seqno":0,"evtType":1,"oTime":null,"links":null,"id":"4a063431-fb65-11e9-a309-fd988b74a8c5","origin":null,"relations":[],"details":"","severity":5,"time":1572474806370,"headId":"4a063431-fb65-11e9-a309-fd988b74a8c5","sa":2},"desc":{"alertId":{"desc":"","label":"Link down"},"pointId":[{"desc":"Type: cisco\nIP: A.B.C.D","label":"device-name [A.B.C.D]"},{"desc":"","label":""},{"desc":"Ethernet Module","label":""},{"desc":"","label":"Eth1/18"}]},"id":{"alertId":"Link-down","component":1,"pointId":["A-B-C-D","dev","1","180000"]}}</P> <P>Thanks<BR /> Marcin</P> Thu, 31 Oct 2019 13:56:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472501#M132962 dabroma5 2019-10-31T13:56:19Z https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472502#M132963 <P>Hi dabroma5,<BR /> Try this.</P> <PRE><CODE>| rex "\"label\":\"(?&lt;port&gt;(Eth|eth)[^\"]*)" </CODE></PRE> <P>that you can test at <A href="https://regex101.com/r/nE5Zjt/2">https://regex101.com/r/nE5Zjt/2</A></P> <P>Ciao.<BR /> Giuseppe</P> Thu, 31 Oct 2019 13:59:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472502#M132963 gcusello 2019-10-31T13:59:16Z https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472503#M132964 <P>Hi Giuseppe,</P> <P>| rex "\"label\":\"(?(Eth|eth)[^\"]*)" - works perfect</P> <P>thanks<BR /> Marcin</P> Thu, 31 Oct 2019 14:04:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472503#M132964 dabroma5 2019-10-31T14:04:13Z https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472504#M132965 <P>Hi Marcin,<BR /> if this answer solves your problem, please accept and/or upvote it</P> <P>Ciao and next time!<BR /> Giuseppe</P> Thu, 31 Oct 2019 14:19:36 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-named-fields-with-regular-expression/m-p/472504#M132965 gcusello 2019-10-31T14:19:36Z