Splunk Search

Need help on Rex filter

jerinvarghese
Communicator

Hi All,

Need help in getting the right rex filter for the below _raw data.

 

2021-12-04T01:29:48.015524+00:00 USHCO-EXXON, ipsec-ike-down, 689, "IKE connection with peer 10.218.42.113 (routing-instance EXXON-Control-VR) is up", USPAB

2021-12-04T01:29:15.007722+00:00 USHCO-EXXON, ipsec-tunnel-down, 687, "IPSEC tunnel with peer 10.218.42.111 (routing-instance EXXON-Control-VR) is up", USPAB

2021-12-04T01:29:15.007722+00:00 USHCO-EXXON, ipsec-ike-down, 686, "IKE connection with peer 10.218.42.111 (routing-instance EXXON-Control-VR) is up", USPAB

2021-12-04T01:29:14.807814+00:00 USHCO-EXXON, ipsec-tunnel-down, 872, "IPSEC tunnel with peer 10.218.42.111 (routing-instance EXXON-Control-VR) is up", USPAB

2021-12-04T01:29:14.807814+00:00 USHCO-EXXON, ipsec-ike-down, 871, "IKE connection with peer 10.218.42.111 (routing-instance EXXON-Control-VR) is up", USPAB

 

 

Above is the raw data.

 

Requirement : 

All the content within " " need to filtered.

Example

 

 

"IKE connection with peer 10.218.42.113 (routing-instance EXXON-Control-VR) is up"
"IPSEC tunnel with peer 10.218.42.111 (routing-instance EXXON-Control-VR) is up"
"IKE connection with peer 10.218.42.111 (routing-instance EXXON-Control-VR) is up"
"IPSEC tunnel with peer 10.218.42.111 (routing-instance EXXON-Control-VR) is up"
"IKE connection with peer 10.218.42.111 (routing-instance EXXON-Control-VR) is up"

 

 

Above content to be filtered into Event_Log

 

| rex field=_raw "(?<Event_Log>[^"]+)"

 

But something am missing, its not capturing the data

0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @jerinvarghese,

what do you really intend with filter?

do you want to extract the strinbgs between quotes in a field or don't display them?

if you want to put in a field called "Event_Log", you could use a regex like this:

| rex "\"(?<Event_Log>[^\"]+)\""

you can test the regex at https://regex101.com/r/hkPiCZ/1

ciao.

Giuseppe

View solution in original post

gcusello
SplunkTrust
SplunkTrust

Hi @jerinvarghese,

what do you really intend with filter?

do you want to extract the strinbgs between quotes in a field or don't display them?

if you want to put in a field called "Event_Log", you could use a regex like this:

| rex "\"(?<Event_Log>[^\"]+)\""

you can test the regex at https://regex101.com/r/hkPiCZ/1

ciao.

Giuseppe

Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...