I am trying to "extract" the port number as a field that I can use to build a pie chart (or time chart) that simply contains the number of times a specific port is mentioned. It seems like it would be SO simple, yet I can't seem to figure out the syntax. I would ultimately like to end up with a field that simply contains either the port number or the words "port (the port number)". I have included a sample of the events below.
Mar 28 13:06:43 10.0.1.35 Mar 28 13:03:44 STP: MSTI0: New root on port 7, root path cost is 20010, root bridge id is 32768.CC-2D-E0-51-7B-8C
Mar 28 13:06:39 10.0.1.35 Mar 28 13:03:40 STP: msti 0 set port 8 to forwarding
Mar 28 13:06:39 10.0.1.35 Mar 28 13:03:40 STP: msti 0 set port 8 to learning
Mar 28 13:06:36 10.0.1.35 Mar 28 13:03:38 STP: msti 0 set port 8 to discarding
Mar 28 13:06:36 10.0.1.35 Mar 28 13:03:38 Port: link state changed to 'up' (1G) on port 8
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 9 to forwarding
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 9 to learning
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 7 to forwarding
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 7 to learning
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 STP: msti 0 set port 7 to discarding
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 Port: link state changed to 'up' (1G) on port 7
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 STP: msti 0 set port 9 to discarding
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 Port: link state changed to 'up' (1G) on port 9
Mar 28 13:06:32 10.0.1.35 Mar 28 13:03:33 Port: link state changed to 'down' on port 8
Mar 28 13:06:30 10.0.1.35 Mar 28 13:03:32 STP: msti 0 set port 8 to discarding
Mar 28 13:06:30 10.0.1.35 Mar 28 13:03:32 Port: link state changed to 'up' (1G) on port 8
Mar 28 13:06:28 10.0.1.35 Mar 28 13:03:30 Port: link state changed to 'down' on port 9
Mar 28 13:06:28 10.0.1.35 Mar 28 13:03:30 Port: link state changed to 'down' on port 7
Mar 28 13:06:27 10.0.1.35 Mar 28 13:03:28 STP: msti 0 set port 8 to discarding
Mar 28 13:06:27 10.0.1.35 Mar 28 13:03:28 Port: link state changed to 'down' on port 8
Hi @dmt_admin,
...|rex "port\s(?<Port>\d)"
It will extract port number. Now you can use stats/chart further.
Hi @dmt_admin,
...|rex "port\s(?<Port>\d)"
It will extract port number. Now you can use stats/chart further.
This is working! Thank you so much! Could this command be modified to accommodate numbers greater than 9? Just out of curiosity could this be accomplished without the rex
command? I feel like I was wayyy off. I was looking at the match
and like
commands along with eval
. Your command is so short and simple.
Also within the search bar, is there any way to use a wildcard to select "port (port number)"? I have tried "port *"
but that doesn't seem correct.
I greatly appreciate your help.
to accommodate greater than 9 use- |rex "port\s(?<Port>\d+)"
and to select events having port you can try |search Port=*