Re: How to remove trailing end of a field when fie...

noob4now · ‎08-28-2019

Trying to not sound confusing, so here are some examples of PORTs extracted from our logs:

LoPPG-1-23-45-6
PORT-1-2-3-45
CONCATGRP-1-23-4-5
EthernetService-1-23-4-5

Convert these by remove the trailing -# as the lower IDs represent circuits, but removing the end -# identifys the TRUNK:

 LoPPG-1-23-45
PORT-1-2-3
CONCATGRP-1-23-4
EthernetService-1-23-4

The second thing I'd like to try is to remove all the ALPHA characters and the first "-" to only leave:
1-23-4 <-- This is my future goal as we are currently trying to build a dashboard that uses a lookup csv file to identify the circuit ID's, which is designed as NODE/PORT/CircuitID and my search already can find some of these but the lookup table is extracted from the nodes themselves and the PORT names are sometimes different.
Instead of re-building the lookup table, I'd like to have a way to reduce the PORT down to just numbers and dashes on both the SEARCH and LOOKUP side, which are two different things in my search, but they must match to identify the CircuitID.

diogofgm · ‎08-28-2019

Assuming that the fields you need are:

raw: EthernetService-1-23-4-5
trunk: EthernetService-1-23-4
name: EthernetService
node: 1-23
circuit_id: 5
Use this

(your search)|rex field="ciena.portid" "(?<trunk>(?<name>[^\-]+)\-(?<node>(?:[^\-]+\-){2}))(?<circuit_id>\d+)"

You can rename the named capture groups (e.g. trunk, node, name, etc) as you need

------------
Hope I was able to help you. If so, some karma would be appreciated.

jpolvino · ‎08-28-2019

This will strip the last minus and number:

(your search)
| rex "(?<stripLast>.*?-\d+-\d+-\d+).*"

And this will get you the inside stuff:

(your search)
| rex ".*?-(?<inside>.*?-\d+-\d+).*"

noob4now · ‎08-28-2019

Sorry, still a noob here... I don't search for this Column, it is simply a rename command on a pre-defined field. The rename is used to make the extracted field same as the node's native alarm monitoring tool. The idea here is to mimic. So, how would this rex command follow a simple statement as such:

| rename ciena.portid AS Port.ID
...
| table _time Port.ID Alarm ...etc...

Sukisen1981 · ‎08-28-2019

assuming that Port.Id is the field that contains your text , like LoPPG-1-23-45-6
you need to just replace either mine or @jpolvino's rex with something like this | rex field=Port.ID "(?<stripLast>.*?-\d+-\d+-\d+).*" and | rex ".*?-(?<inside>.*?-\d+-\d+).*"
or you do something like this - | rex field=Port.ID "(?\w+\-+\d+\-+\d+\-\d)" | rex field=extract1 "\w+\-(?.*)"

Sukisen1981 · ‎08-28-2019

| makeresults 
|  eval x="EthernetService-1-23-4-5"
| rex field=x "(?<extract1>\w+\-+\d+\-+\d+\-\d)"
| rex field=extract1 "\w+\-(?<extract2>.*)"

Remove makeresults and repalce x by your field name or _raw as applicable

noob4now · ‎08-28-2019

I see what you are doing here, but the Column has all of the supplied examples. I'm assuming I'll have to create a eval field for each of the outputs which I really don't want to do.
I'll play around with this answer of course as everything here is somehow useful today or in the future. Thanks sir!

Sukisen1981 · ‎08-28-2019

hmm not sure why you have to create an eval field for each of your outputs, can you please clarify?
and please don't call me 'sir' as I have not yet been knighted by the queen of England 🙂 🙂

How to remove trailing end of a field when field and trailing end are different and include a dash before the number

Routing logs with Splunk OTel Collector for Kubernetes

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM