Solved: How to extract field names from Arris_log? I need ...

avishek08 · ‎10-26-2017

I need help extracting alert numbers from these different raw logs. I have tried using Field extractor and not having any luck aggregating them into a list or count

1: Oct 26 11:14:51 192.168.69.50 pfsp: Host Detection alert #21780827, start 2017-10-26 16:14:45 GMT, duration 6, direction incoming,

2: Oct 26 11:13:56 192.168.69.50 pfsp: TMS mitigation 'Alert 21780825 Auto-Mitigation' started at 2017-10-26 16:13:55

If possible please help me find appropriate "rex" command so I can learn too 🙂

alemarzu · ‎10-26-2017

@avishek08

Try this regex.

... | rex "(?:alert\s#|\'Alert\s)(?<my_numbers>\d+)(?:\,\s|\s)" | stats count by my_numbers

View solution in original post

alemarzu · ‎10-26-2017

@avishek08

Try this regex.

... | rex "(?:alert\s#|\'Alert\s)(?<my_numbers>\d+)(?:\,\s|\s)" | stats count by my_numbers

avishek08 · ‎10-27-2017

Thank you so much 🙂

alemarzu · ‎10-27-2017

Glad it worked out. Cheers!

How to extract field names from Arris_log? I need help extracting alert numbers from these different raw logs.

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!