Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Need help on Regex to extract

sekhar463
Path Finder
‎02-24-2023 06:39 AM

hi all,

how to extract  this  message  bgp_connect_start: connect 2403:df40:0:16::3 (Internal AS 14630) (instance master): No route to host   as new fields as BGP connection fields 

 

 

BGP_CONNECT_FAILED: bgp_connect_start: connect 2403:df40:0:16::3 (Internal AS 14630) (instance master): No route to host

Labels (1)
Labels
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-24-2023 06:49 AM

Hi @sekhar463,

could you share your full log?

the regex for the log you shared could be:

| rex "BGP_CONNECT_FAILED: (?<BGP_connection>.*)"

that you can test at https://regex101.com/r/4s62eG/1

but to be more sure I nned the full log.

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎02-26-2023 10:27 PM

Thank you its working manually.

how to add automatically for a source type.

i have added the regex in the field extractor but not getting field populated while searching with the sourcetype

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-27-2023 12:01 AM

Hi @sekhar463,

you can automatically extract the field using the Field Extractor or the [Settings > Fields > ield Extraction > new Field] (in this case you have to identify the sourcetype for the Field Extractioj.

Ciao.

Giuseppe

0 Karma
Reply

sekhar463
Path Finder
‎02-27-2023 12:06 AM

yes i did the same and i have given below regex.

but still not reflecting in the search data

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎02-27-2023 02:34 AM

Hi @sekhar463,

check the sourcetype and wait some minute before testing the field extraction, it isn't immediate.

Ciao.

Giuseppe

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...