https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95539#M24661 <P>I'm not a big regex power yet, I know this is easy, but since it is not on a system I can't test and figure out myself I'm looking for expert assistance.<BR /> Can someone provide a search rex that will pull both the interface and up-down fields from this log?</P> <PRE><CODE>Oct 9 12:01:18 hos-a-3550-1.rockefeller.internal 2635634: Oct 9 12:01:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down Oct 9 12:01:18 hos-a-3550-1.rockefeller.internal 2635634: Oct 9 12:01:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up </CODE></PRE> <P>Looking for a rex that pulls two fields:</P> <PRE><CODE>search | rex field=_raw ?(?&lt;interface&gt;?)?(?&lt;up-down&gt;?)? | stats count by interface,up-down </CODE></PRE> <P>Thanks,<BR /><BR /> Luke</P> Sat, 12 Oct 2013 00:43:26 GMT lukejadamec 2013-10-12T00:43:26Z https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95539#M24661 <P>I'm not a big regex power yet, I know this is easy, but since it is not on a system I can't test and figure out myself I'm looking for expert assistance.<BR /> Can someone provide a search rex that will pull both the interface and up-down fields from this log?</P> <PRE><CODE>Oct 9 12:01:18 hos-a-3550-1.rockefeller.internal 2635634: Oct 9 12:01:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down Oct 9 12:01:18 hos-a-3550-1.rockefeller.internal 2635634: Oct 9 12:01:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up </CODE></PRE> <P>Looking for a rex that pulls two fields:</P> <PRE><CODE>search | rex field=_raw ?(?&lt;interface&gt;?)?(?&lt;up-down&gt;?)? | stats count by interface,up-down </CODE></PRE> <P>Thanks,<BR /><BR /> Luke</P> Sat, 12 Oct 2013 00:43:26 GMT https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95539#M24661 lukejadamec 2013-10-12T00:43:26Z https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95540#M24662 <P>please show that you are looking for precisely.</P> Sat, 12 Oct 2013 04:56:49 GMT https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95540#M24662 yannK 2013-10-12T04:56:49Z https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95541#M24663 <P>Here </P> <P><CODE>mysearch | rex "Interface (?&lt;interface&gt;[^, ]*), changed state to (?&lt;state&gt;\w+)" | table interface state</CODE></P> Sat, 12 Oct 2013 16:20:13 GMT https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95541#M24663 yannK 2013-10-12T16:20:13Z https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95542#M24664 <P>Thanks. I totally need to learn regex.</P> Sat, 12 Oct 2013 17:03:43 GMT https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95542#M24664 lukejadamec 2013-10-12T17:03:43Z https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95543#M24665 <P>here is a good place to start<BR /> <A href="http://www.regular-expressions.info/quickstart.html">http://www.regular-expressions.info/quickstart.html</A></P> Mon, 14 Oct 2013 16:44:40 GMT https://community.splunk.com/t5/Splunk-Search/Inline-field-extraction-with-rex/m-p/95543#M24665 yannK 2013-10-14T16:44:40Z