Splunk Search

How do i create a regular expression to extract a particular field from comma separated log entry regardless of its length

New Member

Can u help we with below.

I would like to create regular expression to extract a particular field from comma separated log entry regardless of its length.

Log entry sample

2017-02-21 14:25:59,2017-02-21 14:25:59,0.000,101.214.24.6,17.28.191.41,45604,22,TCP,.A....,0,0,1,52,0,0,151129516,151129615,0,0,0,0,0,0,72.128.190.41,0.0.0.0,0,0,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0, 0.000, 0.000, 0.000,72.128.157.2,1/2,2,2017-02-21 14:26:00.535

Above log entry is a single linke and has multiple fields which is is comma separated. I would like to extract the field which is marked in BOLD. That is next hop IP for netflow logs.
Basically i would like to only extract the '45th' field in this log entry, regardless of variable data lengths from each fields or type of data.

Can u pls help. I tried while extracting fields and let splunk to do it, but when the data size varies, splunk fails to detect certain fields.

0 Karma

Communicator

HI

Event

2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@

How do i delimit by @$@

0 Karma

Super Champion
 | makeresults | eval key=" 2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@" |  rex mode=sed field=key "s/\@\$\@/,/g"| rex field=key "^([^,]*,){5}(?<next_hop_IP>[^,]*)" | table key,next_hop_IP

In above case I have converted "@$@" to comma and then split based on same logic. Have a try using above for getting the 6th field

0 Karma

Communicator

In few events we have , inside fields

0 Karma

SplunkTrust
SplunkTrust

If your next hop IP is always 45th segment (comma as separator), then try this

your base search | rex "^([^,]+,){44}(?<next_hop_IP>[^,]+)"

Communicator

Hi somesoni

We want to use regular expression to extract below Even

Based on 1st accuranc of @$@ will be first column and 2 ND accuranc will be 2nd column like that many fields need to be extracted
2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@

How do i delimit by @$@
2017-02-15 09:59:51,787@$@VWNV02AX01571@$@72f62f43-7269-4ca9-add5-3b623982a5fc@$@@$@5e3de831-cde6-4b83-be76-0235345063c3@$@OHHNCacheCommonBO@$@LogDynamicObjectsByDelegates@$@LogDynamicObjects@$@2017-02-15 09:59:51.787@$@2017-02-15 09:59:51.787@$@0@$@@$@

How do i delimit by @$@

0 Karma