Splunk Enterprise

How do you extract a field from known text (with variable) in search results?

New Member

I am trying to "extract" the port number as a field that I can use to build a pie chart (or time chart) that simply contains the number of times a specific port is mentioned. It seems like it would be SO simple, yet I can't seem to figure out the syntax. I would ultimately like to end up with a field that simply contains either the port number or the words "port (the port number)". I have included a sample of the events below.

Mar 28 13:06:43 10.0.1.35 Mar 28 13:03:44 STP: MSTI0: New root on port 7, root path cost is 20010, root bridge id is 32768.CC-2D-E0-51-7B-8C
Mar 28 13:06:39 10.0.1.35 Mar 28 13:03:40 STP: msti 0 set port 8 to forwarding
Mar 28 13:06:39 10.0.1.35 Mar 28 13:03:40 STP: msti 0 set port 8 to learning
Mar 28 13:06:36 10.0.1.35 Mar 28 13:03:38 STP: msti 0 set port 8 to discarding
Mar 28 13:06:36 10.0.1.35 Mar 28 13:03:38 Port: link state changed to 'up' (1G) on port 8
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 9 to forwarding
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 9 to learning
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 7 to forwarding
Mar 28 13:06:35 10.0.1.35 Mar 28 13:03:36 STP: msti 0 set port 7 to learning
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 STP: msti 0 set port 7 to discarding
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 Port: link state changed to 'up' (1G) on port 7
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 STP: msti 0 set port 9 to discarding
Mar 28 13:06:33 10.0.1.35 Mar 28 13:03:34 Port: link state changed to 'up' (1G) on port 9
Mar 28 13:06:32 10.0.1.35 Mar 28 13:03:33 Port: link state changed to 'down' on port 8
Mar 28 13:06:30 10.0.1.35 Mar 28 13:03:32 STP: msti 0 set port 8 to discarding
Mar 28 13:06:30 10.0.1.35 Mar 28 13:03:32 Port: link state changed to 'up' (1G) on port 8
Mar 28 13:06:28 10.0.1.35 Mar 28 13:03:30 Port: link state changed to 'down' on port 9
Mar 28 13:06:28 10.0.1.35 Mar 28 13:03:30 Port: link state changed to 'down' on port 7
Mar 28 13:06:27 10.0.1.35 Mar 28 13:03:28 STP: msti 0 set port 8 to discarding
Mar 28 13:06:27 10.0.1.35 Mar 28 13:03:28 Port: link state changed to 'down' on port 8
Tags (2)
0 Karma
1 Solution

Super Champion

Hi @dmt_admin,

...|rex "port\s(?<Port>\d)"

It will extract port number. Now you can use stats/chart further.

View solution in original post

0 Karma

Super Champion

Hi @dmt_admin,

...|rex "port\s(?<Port>\d)"

It will extract port number. Now you can use stats/chart further.

View solution in original post

0 Karma

New Member

This is working! Thank you so much! Could this command be modified to accommodate numbers greater than 9? Just out of curiosity could this be accomplished without the rex command? I feel like I was wayyy off. I was looking at the match and like commands along with eval. Your command is so short and simple.

Also within the search bar, is there any way to use a wildcard to select "port (port number)"? I have tried "port *" but that doesn't seem correct.

I greatly appreciate your help.

0 Karma

Super Champion

to accommodate greater than 9 use- |rex "port\s(?<Port>\d+)" and to select events having port you can try |search Port=*

0 Karma