Solved: How to ignore some rex data? - Splunk Community

All Apps and Add-ons

Using the extract tool, I'm trying to build a field on the "has reached XXXX" number from a Cisco log using the following rex example: | rex "(?i) has reached (?P[^,]+)"

%ROUTING-BGP-5-MAXPFX : No. of IPv4 Unicast prefixes received from 1.2.3.4 has reached 10622, max 14000

It works great, except it's pulling in data I don't want from a similar set of data listed below:

%ENV_MON-2-FAN: Fan array has reached CRITICAL level.

How do I ignore the "CRITICAL level" and only report the number of prefixes? Overall I want something like (NOT "Fan array has reached"), but that obviously doesn't work in rex.

Thanks,

1 Solution

Solution

Try this:
| rex "(?i) has reached (?P<fieldname>\W[^,]+)"
This assumes that you're only interested in numbers - \W means not a letter.

View solution in original post

Solution

Try this:
| rex "(?i) has reached (?P<fieldname>\W[^,]+)"
This assumes that you're only interested in numbers - \W means not a letter.

The \d did it. Thanks.

| rex "(?i) has reached (?P<FIELDNAME>\d[^,]+)"

I guess it should be "\d" to capture just the digits. "\W" didn't work for me.

Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now! In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...