Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need help on Regex to extract

sekhar463
Path Finder
‎02-24-2023 06:39 AM

hi all,

how to extract  this  message  bgp_connect_start: connect 2403:df40:0:16::3 (Internal AS 14630) (instance master): No route to host   as new fields as BGP connection fields 

 

 

BGP_CONNECT_FAILED: bgp_connect_start: connect 2403:df40:0:16::3 (Internal AS 14630) (instance master): No route to host

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-24-2023 06:49 AM

Hi @sekhar463,

could you share your full log?

the regex for the log you shared could be:

| rex "BGP_CONNECT_FAILED: (?<BGP_connection>.*)"

that you can test at https://regex101.com/r/4s62eG/1

but to be more sure I nned the full log.

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎02-26-2023 10:27 PM

Thank you its working manually.

how to add automatically for a source type.

i have added the regex in the field extractor but not getting field populated while searching with the sourcetype

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-27-2023 12:01 AM

Hi @sekhar463,

you can automatically extract the field using the Field Extractor or the [Settings > Fields > ield Extraction > new Field] (in this case you have to identify the sourcetype for the Field Extractioj.

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎02-27-2023 12:06 AM

yes i did the same and i have given below regex.

but still not reflecting in the search data

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-27-2023 02:34 AM

Hi @sekhar463,

check the sourcetype and wait some minute before testing the field extraction, it isn't immediate.

Ciao.

Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

To help practitioners build a stronger foundation, we launched the Data Management & Federation ...

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Casting Call: Compete in Cyber Games

Lights, Camera, SecOps: Apply to Compete in Cyber Games     Think you have what it takes to beat the clock? ...