topic rex for source target in Splunk Search

rex for source target

indeed_2000 — Thu, 15 Jul 2021 19:57:24 GMT

here is my log:

2020-01-19 13:20:15,093 INFO ABC.InEE-Product-00000 [MyProcessor] Detail Packet: M[000] T[111] P[0A0000] AT[00] R[0000] TA[ABC.OutEE-Product] Status[OUT-LOGOUT,EXIT]

2020-01-19 13:36:08,185 INFO ABC.InEP-Product-00000 [MyProcessor] Detail Packet Lost: M[000] T[111] SA[ABC.InEE-Product] R[0000]

what is the rex for

SOURCE=ABC.InEE-Product

TARGET=ABC.OutEE-Product

Model=000

Tip=111

POD=0A0000

any idea?

Thanks,

Re: rex for source target

codebuilder — Thu, 15 Jul 2021 20:11:25 GMT

Have you tried using erex to build the regex for you? It's very handy.

https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Erex

Re: rex for source target

venkatasri — Fri, 16 Jul 2021 01:12:09 GMT

Hi @indeed_2000

You need two different rex as second event is little bit different from first you don't have every field there, see if you can merge them together.

| rex "\d+:\d+:\d+\,\d+\s+\w+\s+(?<SOURCE>\S+).+M\[(?<MODEL>[^\]]+)\]\s+T\[(?<TIP>[^\]]+)\]\s+P\[(?<POD>[^\]]+).+?TA\[(?<TARGET>[^\]]+)\]" | rex "\d+:\d+:\d+\,\d+\s+\w+\s+(?<SOURCE>\S+).+M\[(?<MODEL>[^\]]+)\]\s+T\[(?<TIP>[^\]]+)\]\s+SA\[(?<SOURCE>[^\]]+)"

POD , TARGET missing in your second event.

---

An upvote would be appreciated and Accept solution if this reply helps!