Re: Need help on Regex to extract

sekhar463 · ‎02-24-2023

hi all,

how to extract this message bgp_connect_start: connect 2403:df40:0:16::3 (Internal AS 14630) (instance master): No route to host as new fields as BGP connection fields

BGP_CONNECT_FAILED: bgp_connect_start: connect 2403:df40:0:16::3 (Internal AS 14630) (instance master): No route to host

gcusello · ‎02-24-2023

Hi @sekhar463,

could you share your full log?

the regex for the log you shared could be:

| rex "BGP_CONNECT_FAILED: (?<BGP_connection>.*)"

that you can test at https://regex101.com/r/4s62eG/1

but to be more sure I nned the full log.

Ciao.

Giuseppe

sekhar463 · ‎02-26-2023

Thank you its working manually.

how to add automatically for a source type.

i have added the regex in the field extractor but not getting field populated while searching with the sourcetype

gcusello · ‎02-27-2023

Hi @sekhar463,

you can automatically extract the field using the Field Extractor or the [Settings > Fields > ield Extraction > new Field] (in this case you have to identify the sourcetype for the Field Extractioj.

Ciao.

Giuseppe

sekhar463 · ‎02-27-2023

yes i did the same and i have given below regex.

but still not reflecting in the search data

gcusello · ‎02-27-2023

Hi @sekhar463,

check the sourcetype and wait some minute before testing the field extraction, it isn't immediate.

Ciao.

Giuseppe

Need help on Regex to extract

field extraction

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?