- Splunk Answers
- :
- Splunk Platform Products
- :
- Splunk Enterprise
- :
- Re: How do you extract a field from known text (wi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying to "extract" the port number as a field that I can use to build a pie chart (or time chart) that simply contains the number of times a specific port is mentioned. It seems like it would be SO simple, yet I can't seem to figure out the syntax. I would ultimately like to end up with a field that simply contains either the port number or the words "port (the port number)". I have included a sample of the events below.
Mar 28 13:06:43 10.0.1.35 Mar 28 13:03:44 STP: MSTI0: New root on port 7, root path cost is 20010, root bridge id is 32768.CC-2D-E0-51-7B-8C
Mar 28 13:06:39 10.0.1.35 Mar 28 13:03:40 STP: msti 0 set port 8 to forwarding
Mar 28 13:06:39 10.0.1.35 Mar 28 13:03:40 STP: msti 0 set port 8 to learning
Mar 28 13:06:36 10.0.1.35 Mar 28 13:03:38 STP: msti 0 set port 8 to discarding
Mar 28 13:06:36 10.0.1.35 Mar 28 13:03:38 Port: link state changed to 'up' (1G) on port 8
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 9 to forwarding
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 9 to learning
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 7 to forwarding
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 7 to learning
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 STP: msti 0 set port 7 to discarding
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 Port: link state changed to 'up' (1G) on port 7
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 STP: msti 0 set port 9 to discarding
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 Port: link state changed to 'up' (1G) on port 9
Mar 28 13:06:32 10.0.1.35 Mar 28 13:03:33 Port: link state changed to 'down' on port 8
Mar 28 13:06:30 10.0.1.35 Mar 28 13:03:32 STP: msti 0 set port 8 to discarding
Mar 28 13:06:30 10.0.1.35 Mar 28 13:03:32 Port: link state changed to 'up' (1G) on port 8
Mar 28 13:06:28 10.0.1.35 Mar 28 13:03:30 Port: link state changed to 'down' on port 9
Mar 28 13:06:28 10.0.1.35 Mar 28 13:03:30 Port: link state changed to 'down' on port 7
Mar 28 13:06:27 10.0.1.35 Mar 28 13:03:28 STP: msti 0 set port 8 to discarding
Mar 28 13:06:27 10.0.1.35 Mar 28 13:03:28 Port: link state changed to 'down' on port 8
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dmt_admin,
...|rex "port\s(?<Port>\d)"
It will extract port number. Now you can use stats/chart further.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @dmt_admin,
...|rex "port\s(?<Port>\d)"
It will extract port number. Now you can use stats/chart further.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is working! Thank you so much! Could this command be modified to accommodate numbers greater than 9? Just out of curiosity could this be accomplished without the rex command? I feel like I was wayyy off. I was looking at the match and like commands along with eval. Your command is so short and simple.
Also within the search bar, is there any way to use a wildcard to select "port (port number)"? I have tried "port *" but that doesn't seem correct.
I greatly appreciate your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
to accommodate greater than 9 use- |rex "port\s(?<Port>\d+)" and to select events having port you can try |search Port=*
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
