Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help on Regex to extract

sekhar463
Path Finder
‎02-24-2023 06:39 AM

hi all,

how to extract  this  message  bgp_connect_start: connect 2403:df40:0:16::3 (Internal AS 14630) (instance master): No route to host   as new fields as BGP connection fields 

 

 

BGP_CONNECT_FAILED: bgp_connect_start: connect 2403:df40:0:16::3 (Internal AS 14630) (instance master): No route to host

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-24-2023 06:49 AM

Hi @sekhar463,

could you share your full log?

the regex for the log you shared could be:

| rex "BGP_CONNECT_FAILED: (?<BGP_connection>.*)"

that you can test at https://regex101.com/r/4s62eG/1

but to be more sure I nned the full log.

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎02-26-2023 10:27 PM

Thank you its working manually.

how to add automatically for a source type.

i have added the regex in the field extractor but not getting field populated while searching with the sourcetype

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-27-2023 12:01 AM

Hi @sekhar463,

you can automatically extract the field using the Field Extractor or the [Settings > Fields > ield Extraction > new Field] (in this case you have to identify the sourcetype for the Field Extractioj.

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎02-27-2023 12:06 AM

yes i did the same and i have given below regex.

but still not reflecting in the search data

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-27-2023 02:34 AM

Hi @sekhar463,

check the sourcetype and wait some minute before testing the field extraction, it isn't immediate.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...