Solved: Need help in extracting different format of fields

srinivas_gowda · ‎10-08-2021

Hello all,

I am extracting a field which is coming in multiple formats, however I found that once of the format is not working as expected. Details below. Please help me in extracting all of these formats without affecting others.

Example 1:(highlighted is the field I am trying to extract)

APPLICATION-MIB::evtDevice = STRING: "Server2.Application.APP.INTRANET" APPLICATION-MIB::evtComponent =

Example 2:(highlighted is the field I am trying to extract)

APPLICATION-MIB::evtDevice = STRING: "Server1" APPLICATION-MIB::evtComponent =

Example 3:(highlighted is the field I am trying to extract)

APPLICATION-MIB::evtDevice = STRING: "SG2-SWMGMT-CAT-001" APPLICATION-MIB::evtComponent =

regex used : APPLICATION-MIB::evtDevice\s+=\sSTRING:\s\"(?<source_host>\w+[a-zA-Z0-9-_]\w+)

The above regex is working for both example 1 and 2. However, for example 3 this is working only for the underlined fields and not everything highlighted.

Please help in getting this worked.

javiergn · ‎10-08-2021

Hi @srinivas_gowda , I would simply replace your regex with this:

APPLICATION-MIB::evtDevice\s+=\sSTRING:\s\"(?<source_host>[\w\-]+)

View solution in original post

javiergn · ‎10-08-2021

Hi @srinivas_gowda , I would simply replace your regex with this:

APPLICATION-MIB::evtDevice\s+=\sSTRING:\s\"(?<source_host>[\w\-]+)

Need help in extracting different format of fields

field extraction

regex

rex

subsearch

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

ATTENTION!! We’re MOVING (not really)

Splunk Admins: Build a Smarter Stack with These Must-See .conf25 Sessions

Are you a member of the Splunk Community?