Solved: Inline field extraction with rex

lukejadamec · ‎10-11-2013

I'm not a big regex power yet, I know this is easy, but since it is not on a system I can't test and figure out myself I'm looking for expert assistance.
Can someone provide a search rex that will pull both the interface and up-down fields from this log?

Oct  9 12:01:18 hos-a-3550-1.rockefeller.internal 2635634: Oct  9 12:01:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to down
Oct  9 12:01:18 hos-a-3550-1.rockefeller.internal 2635634: Oct  9 12:01:17: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/3, changed state to up

Looking for a rex that pulls two fields:

search | rex field=_raw ?(?<interface>?)?(?<up-down>?)? | stats count by interface,up-down

Thanks,

Luke

yannK · ‎10-12-2013

Here

mysearch | rex "Interface (?<interface>[^, ]*), changed state to (?<state>\w+)" | table interface state

View solution in original post

yannK · ‎10-12-2013

Here

mysearch | rex "Interface (?<interface>[^, ]*), changed state to (?<state>\w+)" | table interface state

yannK · ‎10-14-2013

here is a good place to start
http://www.regular-expressions.info/quickstart.html

lukejadamec · ‎10-12-2013

Thanks. I totally need to learn regex.

yannK · ‎10-11-2013

please show that you are looking for precisely.

Inline field extraction with rex

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector

Adoption of Infrastructure Monitoring at Splunk