Solved: rex everything after 8th whitespace

subtrakt · ‎02-01-2014

2014-02-01T14:51:24.601752+00:00 .foo.com 21470: Feb 1 14:51:23.570 GMT: %SEC-6-IPACCESSLOGP:

I looked around but couldn't find a rex query to extract the actual Syslog message which would be after the 8th colon in the above message or 8th whitespace will also work.

rex generator isn't giving the desired results.

Thanks in advance for any help.

martin_mueller · ‎02-01-2014

You could prefix the expression with one that matches eight whitespaces:

^(\S*\s){8}(?<everything_after>.*)$

View solution in original post

mikaelbje · ‎05-07-2014

This field has already been extracted and is called "message_text". If you want to do some magic on the contents of it, just reference that field from the rex command instead of _raw.

I wouldn't recommend you to do a rex after the 8th colon as there is no guarantee there will be eight colons in a IOS syslog message. It all depends on how the logging from the device is set up.

Regards,

Mikael

Author of the Cisco IOS app

martin_mueller · ‎02-01-2014

You could prefix the expression with one that matches eight whitespaces:

^(\S*\s){8}(?<everything_after>.*)$

martin_mueller · ‎02-02-2014

That works the same way, just replace \S with [^:] and \s with :

subtrakt · ‎02-02-2014

What about after 8th ':'

martin_mueller · ‎02-01-2014

Right - I had one closing parenthesis too many after {8}... adding one in front works as well of course.

For learning and testing, take a look at http://www.regexr.com/

subtrakt · ‎02-01-2014

rex ^((\S*\s){8})(?.*)$ --- Added another '(' after '^' and it works like a dream! Thanks! Do you recommend any regex cheatsheets or learning resources?

rex everything after 8th whitespace

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Splunk and Fraud

Build Your First SPL2 App!