Hi dabroma5,
If all your ports are called Eth or eth, try this:

| rex "(?<port>(Eth|eth)[^\"]*)"

You can test it at https://regex101.com/r/nE5Zjt/1

Ciao.
Giuseppe

Hi Giuseppe,

Works partially, on below notification I am receiving Ethernet Module instead of Eth1/18

{"info":{"seqno":0,"evtType":1,"oTime":null,"links":null,"id":"4a063431-fb65-11e9-a309-fd988b74a8c5","origin":null,"relations":[],"details":"","severity":5,"time":1572474806370,"headId":"4a063431-fb65-11e9-a309-fd988b74a8c5","sa":2},"desc":{"alertId":{"desc":"","label":"Link down"},"pointId":[{"desc":"Type: cisco\nIP: A.B.C.D","label":"device-name [A.B.C.D]"},{"desc":"","label":""},{"desc":"Ethernet Module","label":""},{"desc":"","label":"Eth1/18"}]},"id":{"alertId":"Link-down","component":1,"pointId":["A-B-C-D","dev","1","180000"]}}

Thanks
Marcin

Hi dabroma5,
Try this.

| rex "\"label\":\"(?<port>(Eth|eth)[^\"]*)"

that you can test at https://regex101.com/r/nE5Zjt/2

Ciao.
Giuseppe

Hi Giuseppe,

| rex "\"label\":\"(?(Eth|eth)[^\"]*)" - works perfect

thanks
Marcin

Hi Marcin,
if this answer solves your problem, please accept and/or upvote it

Ciao and next time!
Giuseppe

I wasn't enough specific. Below is part of my log:

{"info":{"seqno":0,"evtType":1,"oTime":null,"links":null,"id":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","origin":null,"relations":[],"details":"","severity":5,"time":1569918148265,"headId":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","sa":2},"desc":{"alertId":{"desc":"The network port is down","label":"Link down"},"pointId":[{"desc":"Type: openflow\nIP: a.b.c.d","label":"device_name [a.b.c.d]"},{"desc":"","label":""},{"desc":"Network Interfaces","label":""},{"desc":"","label":"eth-0-36"}]},"id":{"alertId":"16","component":1,"pointId":["a-b-c-d","dev","1","36"]}}

Port notation can be different depends on the device:
Eth1/1.2; Eth1/2.500; eth-0-19/4; eth-0-4; Eth1/4

How to create named field to present information in a table.