Splunk Search

How to creat named field with regular expression

Explorer

Hi Team,

I would like to create a named field to filter Ethernet port numbers. My expression:
\beth\d*(?:-\d+)*(?:/\d+(?:.\d+)?)?\b

0 Karma

Explorer

I seems that I wasn't enough specific.

Below is part of my log:

"info":{"seqno":0,"evtType":1,"oTime":null,"links":null,"id":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","origin":null,"relations":[],"details":"","severity":5,"time":1569918148265,"headId":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","sa":2},"desc":{"alertId":{"desc":"The network port is down","label":"Link down"},"pointId":[{"desc":"Type: openflow\nIP: a.b.c.d","label":"device_name [a.b.c.d]"},{"desc":"","label":""},{"desc":"Network Interfaces","label":""},{"desc":"","label":"eth-0-36"}]},"id":{"alertId":"16","component":1,"pointId":["a-b-c-d","dev","1","36"]}}

I would like to extract eth-0-36, but port notation can be different depends on the device:
Eth1/1.2; Eth1/2.500; eth-0-19/4; eth-0-4; Eth1/4
and create a field to present data in a table

0 Karma

Legend

Hi dabroma5,
Try this.

 | rex "\"label\":\"(?<port>(Eth|eth)[^\"]*)"

that you can test at https://regex101.com/r/nE5Zjt/2

Ciao.
Giuseppe

0 Karma

Legend

Hi dabroma5,
is this question a duplicate of https://answers.splunk.com/answers/780044/how-to-creat-named-fiels-with-regular-expression.html?chil... or it's a different one?

Ciao.
Giuseppe

0 Karma

Explorer

yes, it's the same, my question stuck in the moderation process

0 Karma

Motivator

Within SPL? Like this (?<named_field>regex)

In your example

| rex field="your base field" "\beth\d*(?<field1>-\d+)*(?<field2>/\d+(?<field3>.\d+)?)?\b"
0 Karma