Dashboards & Visualizations

How to remove trailing end of a field when field and trailing end are different and include a dash before the number

noob4now
New Member

Trying to not sound confusing, so here are some examples of PORTs extracted from our logs:

LoPPG-1-23-45-6
PORT-1-2-3-45
CONCATGRP-1-23-4-5
EthernetService-1-23-4-5

Convert these by remove the trailing -# as the lower IDs represent circuits, but removing the end -# identifys the TRUNK:

 LoPPG-1-23-45
PORT-1-2-3
CONCATGRP-1-23-4
EthernetService-1-23-4

The second thing I'd like to try is to remove all the ALPHA characters and the first "-" to only leave:
1-23-4 <-- This is my future goal as we are currently trying to build a dashboard that uses a lookup csv file to identify the circuit ID's, which is designed as NODE/PORT/CircuitID and my search already can find some of these but the lookup table is extracted from the nodes themselves and the PORT names are sometimes different.
Instead of re-building the lookup table, I'd like to have a way to reduce the PORT down to just numbers and dashes on both the SEARCH and LOOKUP side, which are two different things in my search, but they must match to identify the CircuitID.

0 Karma

diogofgm
SplunkTrust
SplunkTrust

Assuming that the fields you need are:

raw: EthernetService-1-23-4-5
trunk: EthernetService-1-23-4
name: EthernetService
node: 1-23
circuit_id: 5
Use this

(your search)|rex field="ciena.portid" "(?<trunk>(?<name>[^\-]+)\-(?<node>(?:[^\-]+\-){2}))(?<circuit_id>\d+)"

You can rename the named capture groups (e.g. trunk, node, name, etc) as you need

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma

jpolvino
Builder

This will strip the last minus and number:

(your search)
| rex "(?<stripLast>.*?-\d+-\d+-\d+).*"

And this will get you the inside stuff:

(your search)
| rex ".*?-(?<inside>.*?-\d+-\d+).*"
0 Karma

noob4now
New Member

Sorry, still a noob here... I don't search for this Column, it is simply a rename command on a pre-defined field. The rename is used to make the extracted field same as the node's native alarm monitoring tool. The idea here is to mimic. So, how would this rex command follow a simple statement as such:

| rename ciena.portid AS Port.ID
...
| table _time Port.ID Alarm ...etc...

0 Karma

Sukisen1981
Champion

assuming that Port.Id is the field that contains your text , like LoPPG-1-23-45-6
you need to just replace either mine or @jpolvino's rex with something like this | rex field=Port.ID "(?<stripLast>.*?-\d+-\d+-\d+).*" and | rex ".*?-(?<inside>.*?-\d+-\d+).*"
or you do something like this - | rex field=Port.ID "(?\w+\-+\d+\-+\d+\-\d)"
| rex field=extract1 "\w+\-(?.*)"

0 Karma

Sukisen1981
Champion
| makeresults 
|  eval x="EthernetService-1-23-4-5"
| rex field=x "(?<extract1>\w+\-+\d+\-+\d+\-\d)"
| rex field=extract1 "\w+\-(?<extract2>.*)"

Remove makeresults and repalce x by your field name or _raw as applicable

0 Karma

noob4now
New Member

I see what you are doing here, but the Column has all of the supplied examples. I'm assuming I'll have to create a eval field for each of the outputs which I really don't want to do.
I'll play around with this answer of course as everything here is somehow useful today or in the future. Thanks sir!

0 Karma

Sukisen1981
Champion

hmm not sure why you have to create an eval field for each of your outputs, can you please clarify?
and please don't call me 'sir' as I have not yet been knighted by the queen of England 🙂 🙂

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...