Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field extraction

Navanitha
Path Finder
‎01-29-2015 05:13 AM

I am trying to extract the field starting with C ending with I from following strings. Can anyone pls suggest the appropriate regex for this.

201421222062713TK 00.?4_CVH03I VY SCN P43833244199105 02P87562824579SAI LAKKAMANENI

1120082628TA 00.?4DCGPV08I GTALS 295211P3055E464 01Q000900046SAHEER SHAIK12

2014112980059TL 00.C&&CGPV08I GTALS 295211P3055E464 0TI000200546280SRIDHAR ALAPARTHI

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2015 05:31 AM

It's not clear exactly what you want to extract since there are multiple I's in your sample data. However, the regex string (C.*?I) should get you started.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

sepmerit
New Member
‎09-23-2016 10:20 AM

I also want to extract out a field from the samples logs below (all from cisco nodes); the words that come after the key word "command", i want to mark anything afterwards as a field, how do i use rex or regex go about it? thanks

Sep 23 16:01:38 X.X.X.X 39412: Sep 23 13:01:37.822: %PARSER-5-CFGLOG_LOGGEDCMD: User:john.adams  logged command:switchport port-security

Sep 23 14:51:04 X.X.X.X 517733: 9w0d: %PARSER-5-CFGLOG_LOGGEDCMD: User:mary.clare  logged command:neighbor X.X.X.X GigabitEthernet0/2.1458

Sep 23 20:04:22 X.X.X.X 4554: Sep 23 17:04:21.239: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:deny
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2015 05:31 AM

It's not clear exactly what you want to extract since there are multiple I's in your sample data. However, the regex string (C.*?I) should get you started.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Navanitha
Path Finder
‎01-29-2015 05:41 AM

I want to extract fields with CVH03I / CGPV08I / CGPV08I. regex which you gave is matching the field in first sting only. I would like to match it with other two stings.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-29-2015 06:13 AM

According to RegExr, the string matches the first two examples. The challenge in the third example is there are two C's. See if this works better for you:

[_?&].*?(C.*?I)
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

aholzer
Motivator
‎01-29-2015 06:25 AM

You could also try this:

00\..{3}([^\s]+)

To save it as a field extraction just use this:

00\..{3}(?P<my_field>[^\s]+)

I'm using the 00. as my starting point, ignore 3 characters after that, then begin the capture until the next whitespace.

Reply
Solved! Jump to solution

Navanitha
Path Finder
‎01-29-2015 07:21 AM

Thanks guys, it worked..I am more comfortable using 00..{3}([^\s]+). this is exactly filling my requirement.

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk &#43; Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...