Splunk Enterprise

How do you extract a field from known text (with variable) in search results?

dmt_admin
New Member

I am trying to "extract" the port number as a field that I can use to build a pie chart (or time chart) that simply contains the number of times a specific port is mentioned. It seems like it would be SO simple, yet I can't seem to figure out the syntax. I would ultimately like to end up with a field that simply contains either the port number or the words "port (the port number)". I have included a sample of the events below.

Mar 28 13:06:43 10.0.1.35 Mar 28 13:03:44 STP: MSTI0: New root on port 7, root path cost is 20010, root bridge id is 32768.CC-2D-E0-51-7B-8C
Mar 28 13:06:39 10.0.1.35 Mar 28 13:03:40 STP: msti 0 set port 8 to forwarding
Mar 28 13:06:39 10.0.1.35 Mar 28 13:03:40 STP: msti 0 set port 8 to learning
Mar 28 13:06:36 10.0.1.35 Mar 28 13:03:38 STP: msti 0 set port 8 to discarding
Mar 28 13:06:36 10.0.1.35 Mar 28 13:03:38 Port: link state changed to 'up' (1G) on port 8
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 9 to forwarding
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 9 to learning
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 7 to forwarding
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 7 to learning
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 STP: msti 0 set port 7 to discarding
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 Port: link state changed to 'up' (1G) on port 7
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 STP: msti 0 set port 9 to discarding
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 Port: link state changed to 'up' (1G) on port 9
Mar 28 13:06:32 10.0.1.35 Mar 28 13:03:33 Port: link state changed to 'down' on port 8
Mar 28 13:06:30 10.0.1.35 Mar 28 13:03:32 STP: msti 0 set port 8 to discarding
Mar 28 13:06:30 10.0.1.35 Mar 28 13:03:32 Port: link state changed to 'up' (1G) on port 8
Mar 28 13:06:28 10.0.1.35 Mar 28 13:03:30 Port: link state changed to 'down' on port 9
Mar 28 13:06:28 10.0.1.35 Mar 28 13:03:30 Port: link state changed to 'down' on port 7
Mar 28 13:06:27 10.0.1.35 Mar 28 13:03:28 STP: msti 0 set port 8 to discarding
Mar 28 13:06:27 10.0.1.35 Mar 28 13:03:28 Port: link state changed to 'down' on port 8
Tags (2)
0 Karma
1 Solution

493669
Super Champion

Hi @dmt_admin,

...|rex "port\s(?<Port>\d)"

It will extract port number. Now you can use stats/chart further.

View solution in original post

0 Karma

493669
Super Champion

Hi @dmt_admin,

...|rex "port\s(?<Port>\d)"

It will extract port number. Now you can use stats/chart further.

0 Karma

dmt_admin
New Member

This is working! Thank you so much! Could this command be modified to accommodate numbers greater than 9? Just out of curiosity could this be accomplished without the rex command? I feel like I was wayyy off. I was looking at the match and like commands along with eval. Your command is so short and simple.

Also within the search bar, is there any way to use a wildcard to select "port (port number)"? I have tried "port *" but that doesn't seem correct.

I greatly appreciate your help.

0 Karma

493669
Super Champion

to accommodate greater than 9 use- |rex "port\s(?<Port>\d+)" and to select events having port you can try |search Port=*

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...