Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Extract strings preceded by specific characters, find only the first match per event.

christopheryu
Communicator
‎12-15-2017 11:55 AM

Sorry, this is more of a regex question but can't figure it out myself. I would like to extract a string preceded by the specific characters "Leg x Seg" where x can be any number. The strings to be extracted can have alpha numeric, dots, or underscore characters. Also, find only the first extraction match so there are no duplicate values per log. So from the single event log example below, the strings I'm looking to extract are:

S3R.VPLS92966
EDBK766V0001
P125018_NNI_QBKW5ZP
EDBK49MH0001

Event:
Summary Leg 3 Seg S3R.VPLS92966 Site PBY CNGHDR JuniperJUNIPER_MX SLOT 3 CARD 2 PORT 0 TAGTYPE vlan TAG 22 STACKINGMODE none Leg 3 Seg S3R.VPLS92966 Site PBY GNBRD9 FujitsuFujitsu9500 SHELF 1 SLOT 1 PORT 1 TAGTYPE vlan TAG 22 STACKINGMODE none Leg 2 Seg EDBK766V0001 Site PBY GNBRD9 FujitsuFujitsu9500 SHELF 1 SLOT 14 PORT 15 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 2 Seg EDBK766V0001 Site XTRILEC228PHLAPALO XTRILEC 228 PHLAPALO virtualswitchVirtualSeries SLOT 1 PORT 15 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 2 Seg EDBK766V0001 Site XTRILEC228PHLAPALO XTRILEC 228 PHLAPALO Leg 1 Seg P125018_NNI_QBKW5ZP Site XTRILEC228DWTWPADT XTRILEC 228 DWTWPADT virtualswitchVirtualSeries SLOT 1 PORT 4 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 1 Seg P125018_NNI_QBKW5ZP Site XTRILEC228DWTWPADT XTRILEC 228 DWTWPADT Leg 1 Seg P125018_NNI_QBKW5ZP Site C0LUMB P125018 OvertureOVERTURE_ISG SLOT 0 PORT 4 TAGTYPE vlan TAG 49 STACKINGMODE none Leg 0 Seg EDBK49MH0001 Site C0LUMB P125018 OvertureOVERTURE_ISG SLOT 0 PORT 1 TAGTYPE transparent TAG 0 STACKINGMODE none Leg 0 Seg EDBK49MH0001 Leg 1 Seg P125018_NNI_QBKW5ZP Leg 2 Seg EDBK766V0001 Leg 3 Seg S3R.VPLS92966

Thank you in advance!

Tags (2)
0 Karma
Reply

Esky73
Builder
‎12-17-2017 02:53 PM

And then add the following - for number of Ocurrences ..

| mvexpand NewField | stats count as Occurences by NewField

0 Karma
Reply

woodcock
Esteemed Legend
‎12-16-2017 03:19 PM

Like this:

| makeresults
| eval _raw="Summary Leg 3 Seg S3R.VPLS92966 Site PBY CNGHDR JuniperJUNIPER_MX SLOT 3 CARD 2 PORT 0 TAGTYPE vlan TAG 22 STACKINGMODE none Leg 3 Seg S3R.VPLS92966 Site PBY GNBRD9 FujitsuFujitsu9500 SHELF 1 SLOT 1 PORT 1 TAGTYPE vlan TAG 22 STACKINGMODE none Leg 2 Seg EDBK766V0001 Site PBY GNBRD9 FujitsuFujitsu9500 SHELF 1 SLOT 14 PORT 15 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 2 Seg EDBK766V0001 Site XTRILEC228PHLAPALO XTRILEC 228 PHLAPALO virtualswitchVirtualSeries SLOT 1 PORT 15 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 2 Seg EDBK766V0001 Site XTRILEC228PHLAPALO XTRILEC 228 PHLAPALO Leg 1 Seg P125018_NNI_QBKW5ZP Site XTRILEC228DWTWPADT XTRILEC 228 DWTWPADT virtualswitchVirtualSeries SLOT 1 PORT 4 TAGTYPE vlan TAG 49 STACKINGMODE stacked STACKEDTAGNUM 31 Leg 1 Seg P125018_NNI_QBKW5ZP Site XTRILEC228DWTWPADT XTRILEC 228 DWTWPADT Leg 1 Seg P125018_NNI_QBKW5ZP Site C0LUMB P125018 OvertureOVERTURE_ISG SLOT 0 PORT 4 TAGTYPE vlan TAG 49 STACKINGMODE none Leg 0 Seg EDBK49MH0001 Site C0LUMB P125018 OvertureOVERTURE_ISG SLOT 0 PORT 1 TAGTYPE transparent TAG 0 STACKINGMODE none Leg 0 Seg EDBK49MH0001 Leg 1 Seg P125018_NNI_QBKW5ZP Leg 2 Seg EDBK766V0001 Leg 3 Seg S3R.VPLS92966"
| rex max_match=0 "Leg\s+\d+\s+Seg\s+(?<NewField>\S+)"
| eval NewField=mvdedup(NewField)
0 Karma
Reply

mayurr98
Super Champion
‎12-15-2017 12:28 PM

Hey

Try this 

index=your_index | field=_raw “Seg\s(?P<seg>[^\s]*)”

Let me know if this helps!

0 Karma
Reply

christopheryu
Communicator
‎12-15-2017 12:05 PM

In addition, I would be counting the total number of each extracted string from a set of logs so not sure if the strings should be extracted as a single field? Illustration below:

event log 1 extracted strings:
S3R.VPLS92966
EDBK766V0001
P125018_NNI_QBKW5ZP
EDBK49MH0001

event log 2 extracted strings:
S3R.VPLS92966
BDEDBK76V00
P125018_NNI_QBKW5ZP

event log 3 extracted strings:
BDEDBK76V00
P125018_NNI_QBKW5ZP
EDBK49MH0001

Desired result:

string count
S3R.VPLS92966 2
EDBK766V0001 1
P125018_NNI_QBKW5ZP 3
EDBK49MH0001 2
BDEDBK76V00 2

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...