Splunk Search

Field extraction

Navanitha
Path Finder

I am trying to extract the field starting with C ending with I from following strings. Can anyone pls suggest the appropriate regex for this.

201421222062713TK 00.?4_CVH03I VY SCN P43833244199105 02P87562824579SAI LAKKAMANENI

1120082628TA 00.?4DCGPV08I GTALS 295211P3055E464 01Q000900046SAHEER SHAIK12

2014112980059TL 00.C&&CGPV08I GTALS 295211P3055E464 0TI000200546280SRIDHAR ALAPARTHI

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

It's not clear exactly what you want to extract since there are multiple I's in your sample data. However, the regex string (C.*?I) should get you started.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

sepmerit
New Member

I also want to extract out a field from the samples logs below (all from cisco nodes); the words that come after the key word "command", i want to mark anything afterwards as a field, how do i use rex or regex go about it? thanks

Sep 23 16:01:38 X.X.X.X 39412: Sep 23 13:01:37.822: %PARSER-5-CFGLOG_LOGGEDCMD: User:john.adams  logged command:switchport port-security

Sep 23 14:51:04 X.X.X.X 517733: 9w0d: %PARSER-5-CFGLOG_LOGGEDCMD: User:mary.clare  logged command:neighbor X.X.X.X GigabitEthernet0/2.1458

Sep 23 20:04:22 X.X.X.X 4554: Sep 23 17:04:21.239: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:deny
0 Karma

richgalloway
SplunkTrust
SplunkTrust

It's not clear exactly what you want to extract since there are multiple I's in your sample data. However, the regex string (C.*?I) should get you started.

---
If this reply helps you, Karma would be appreciated.
0 Karma

Navanitha
Path Finder

I want to extract fields with CVH03I / CGPV08I / CGPV08I. regex which you gave is matching the field in first sting only. I would like to match it with other two stings.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

According to RegExr, the string matches the first two examples. The challenge in the third example is there are two C's. See if this works better for you:

[_?&].*?(C.*?I)
---
If this reply helps you, Karma would be appreciated.
0 Karma

aholzer
Motivator

You could also try this:

00\..{3}([^\s]+)

To save it as a field extraction just use this:

00\..{3}(?P<my_field>[^\s]+)

I'm using the 00. as my starting point, ignore 3 characters after that, then begin the capture until the next whitespace.

Navanitha
Path Finder

Thanks guys, it worked..I am more comfortable using 00..{3}([^\s]+). this is exactly filling my requirement.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...