- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- extracting special characters using reg
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a log file as the following
Event1: datetime1 any data xyz [macaddress]{2020-23233-23232-21123} any data { abc }
Event2: datetime2 any data abc [macaddress]{02:00:00:00:00} any data { [ hello ] }
In the middle of each event i have a macaddress name between [ ] and the macaddress value between {}
what is the regular expression that let me extract the macaddress value?
i'm trying this but it's not working search | rex "[macaddress]{(?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi royimad,
try something like this:
your base search here | rex "\[(?<myadd>\w+)\]\{(?<myMAC>([\w\d]+[:-])+[\w\d]+)\}" | tabel myadd myMAC
and to match only the IEEE 802 standard you should use this regex
your base search here | rex "\[(?<myadd>\w+)\]\{(?<myMAC>([\w\d]+[:-]){5}[\w\d]+)\}" | tabel myadd myMAC
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi royimad,
try something like this:
your base search here | rex "\[(?<myadd>\w+)\]\{(?<myMAC>([\w\d]+[:-])+[\w\d]+)\}" | tabel myadd myMAC
and to match only the IEEE 802 standard you should use this regex
your base search here | rex "\[(?<myadd>\w+)\]\{(?<myMAC>([\w\d]+[:-]){5}[\w\d]+)\}" | tabel myadd myMAC
hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Maybe you should have a look at my App http://apps.splunk.com/app/1249 😉
to your question, this could be done using a lookup
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If i know exactly that myadd is equal to macaddress in all the case but not a random word how can i simplified this ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect thank you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi dude,
well this is based on your provided information 😉 try this
\[(?<myadd>\w+)\]\{(?<myMAC>([\w\d]+[:-])+[\w\d]+)\}
which works perfect in all of those different online regex testers
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello dude,
There are 2 different type of mac address either separated by : or either separated by - and not necessary contains digital letter a mac address could contain any characters other then special ( Your query is working for the mac address separated by : )
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
