Splunk Search

Field extraction

Explorer

I am trying to extract the field starting with C ending with I from following strings. Can anyone pls suggest the appropriate regex for this.

201421222062713TK 00.?4_CVH03I VY SCN P43833244199105 02P87562824579SAI LAKKAMANENI

1120082628TA 00.?4DCGPV08I GTALS 295211P3055E464 01Q000900046SAHEER SHAIK12

2014112980059TL 00.C&&CGPV08I GTALS 295211P3055E464 0TI000200546280SRIDHAR ALAPARTHI

0 Karma
1 Solution

SplunkTrust
SplunkTrust

It's not clear exactly what you want to extract since there are multiple I's in your sample data. However, the regex string (C.*?I) should get you started.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

New Member

I also want to extract out a field from the samples logs below (all from cisco nodes); the words that come after the key word "command", i want to mark anything afterwards as a field, how do i use rex or regex go about it? thanks

Sep 23 16:01:38 X.X.X.X 39412: Sep 23 13:01:37.822: %PARSER-5-CFGLOG_LOGGEDCMD: User:john.adams  logged command:switchport port-security

Sep 23 14:51:04 X.X.X.X 517733: 9w0d: %PARSER-5-CFGLOG_LOGGEDCMD: User:mary.clare  logged command:neighbor X.X.X.X GigabitEthernet0/2.1458

Sep 23 20:04:22 X.X.X.X 4554: Sep 23 17:04:21.239: %PARSER-5-CFGLOG_LOGGEDCMD: User:console  logged command:deny
0 Karma

SplunkTrust
SplunkTrust

It's not clear exactly what you want to extract since there are multiple I's in your sample data. However, the regex string (C.*?I) should get you started.

---
If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

Explorer

I want to extract fields with CVH03I / CGPV08I / CGPV08I. regex which you gave is matching the field in first sting only. I would like to match it with other two stings.

0 Karma

SplunkTrust
SplunkTrust

According to RegExr, the string matches the first two examples. The challenge in the third example is there are two C's. See if this works better for you:

[_?&].*?(C.*?I)
---
If this reply helps you, an upvote would be appreciated.
0 Karma

Motivator

You could also try this:

00\..{3}([^\s]+)

To save it as a field extraction just use this:

00\..{3}(?P<my_field>[^\s]+)

I'm using the 00. as my starting point, ignore 3 characters after that, then begin the capture until the next whitespace.

Explorer

Thanks guys, it worked..I am more comfortable using 00..{3}([^\s]+). this is exactly filling my requirement.

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!