Hi Team
I need to filter logs to catch switches port numbers. I use Splunk Cloud, my expression:
\beth\d*(?:-\d+)*(?:/\d+(?:\.\d+)?)?\b
How to create named field?
Many Thanks
Hi dabroma5,
you can create a field using rex command ( https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/Rex 😞
| rex "\beth\d*(?<field1>\d+)"
I cannot be more precise without an example and the indication of what values you want to extract in fields.
P.S.: to display regexes use the Code Sample button.
Ciao.
Giuseppe
Hi dabroma5,
you can create a field using rex command ( https://docs.splunk.com/Documentation/SplunkCloud/8.0.0/SearchReference/Rex 😞
| rex "\beth\d*(?<field1>\d+)"
I cannot be more precise without an example and the indication of what values you want to extract in fields.
P.S.: to display regexes use the Code Sample button.
Ciao.
Giuseppe
Hi dabroma5,
If all your ports are called Eth or eth, try this:
| rex "(?<port>(Eth|eth)[^\"]*)"
You can test it at https://regex101.com/r/nE5Zjt/1
Ciao.
Giuseppe
Hi Giuseppe,
Works partially, on below notification I am receiving Ethernet Module instead of Eth1/18
{"info":{"seqno":0,"evtType":1,"oTime":null,"links":null,"id":"4a063431-fb65-11e9-a309-fd988b74a8c5","origin":null,"relations":[],"details":"","severity":5,"time":1572474806370,"headId":"4a063431-fb65-11e9-a309-fd988b74a8c5","sa":2},"desc":{"alertId":{"desc":"","label":"Link down"},"pointId":[{"desc":"Type: cisco\nIP: A.B.C.D","label":"device-name [A.B.C.D]"},{"desc":"","label":""},{"desc":"Ethernet Module","label":""},{"desc":"","label":"Eth1/18"}]},"id":{"alertId":"Link-down","component":1,"pointId":["A-B-C-D","dev","1","180000"]}}
Thanks
Marcin
Hi dabroma5,
Try this.
| rex "\"label\":\"(?<port>(Eth|eth)[^\"]*)"
that you can test at https://regex101.com/r/nE5Zjt/2
Ciao.
Giuseppe
Hi Giuseppe,
| rex "\"label\":\"(?(Eth|eth)[^\"]*)" - works perfect
thanks
Marcin
Hi Marcin,
if this answer solves your problem, please accept and/or upvote it
Ciao and next time!
Giuseppe
I wasn't enough specific. Below is part of my log:
{"info":{"seqno":0,"evtType":1,"oTime":null,"links":null,"id":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","origin":null,"relations":[],"details":"","severity":5,"time":1569918148265,"headId":"9b0ae9a9-e424-11e9-a309-fd988b74a8c5","sa":2},"desc":{"alertId":{"desc":"The network port is down","label":"Link down"},"pointId":[{"desc":"Type: openflow\nIP: a.b.c.d","label":"device_name [a.b.c.d]"},{"desc":"","label":""},{"desc":"Network Interfaces","label":""},{"desc":"","label":"eth-0-36"}]},"id":{"alertId":"16","component":1,"pointId":["a-b-c-d","dev","1","36"]}}
Port notation can be different depends on the device:
Eth1/1.2; Eth1/2.500; eth-0-19/4; eth-0-4; Eth1/4
How to create named field to present information in a table.