Splunk Search

Can you help me use regex to extract fields that contain 'ssd'?

New Member

Hello Splunk,

I have the following raw log lines:

1 2019-01-29T15:44:41.184068+00:00 xxx vpxd 4566 - -  Event [5650552] [1-1] [2019-01-29T15:44:41.182223Z] [vim.event.VmMigratedEvent] [info] [] [x - x] [5650175] [Migration of virtual machine vm1 from host1, ds_SSD_001 to host1, ds_SSD_002 completed]

I'm trying to find all log entries where both fields containing SSD (dsSSD001, or dsSSD002,or dsSSD00x) are different.

(This basically means that one VM has moved from one datastore to another)

I figured I should be using rex to extract the 2 occurrences of SSD and compare them | where field1 != field2

I can't manage to find the regex code to extract these fields (I'm very new to regex...)

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Try this Migration of .*, (?<store1>\S+).*, (?<store2>\S+)

https://regex101.com/r/IFFrB3/1

You can use this like so
You search | rex "Migration of .*, (?<store1>\S+).*, (?<store2>\S+)" | table store1 store2

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

Try this Migration of .*, (?<store1>\S+).*, (?<store2>\S+)

https://regex101.com/r/IFFrB3/1

You can use this like so
You search | rex "Migration of .*, (?<store1>\S+).*, (?<store2>\S+)" | table store1 store2

View solution in original post

0 Karma