Solved: Re: help regex

DiviR · ‎01-11-2018

I have this kind of logs

00:00:47: %LINK-3-UPDOWN: Interface GigabitEthernet0/1, changed state to down
00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan3, changed state to up
00:00:48: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/5, changed state to down

How can I extract severity and interface?

TIA

mayurr98 · ‎01-11-2018

hey try this

index=your_index | rex field=_raw "%\w+-(?P<Severity>[^\-]+)-.*Interface\s(?P<Interface>[^\,]+)"

Also check this to see this in action
https://regex101.com/r/IYRjiZ/1

Let me know if this helps!

View solution in original post

mayurr98 · ‎01-11-2018

hey try this

index=your_index | rex field=_raw "%\w+-(?P<Severity>[^\-]+)-.*Interface\s(?P<Interface>[^\,]+)"

Also check this to see this in action
https://regex101.com/r/IYRjiZ/1

Let me know if this helps!

DiviR · ‎01-11-2018

thanks it works but is there any way to extract description as well after interface?

mayurr98 · ‎01-11-2018

try this then

    index=your_index | rex field=_raw "%\w+-(?P<Severity>[^\-]+)-.*Interface\s(?P<Interface>[^\,]+)\,(?P<Description>.*)"

help regex

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI

Are you a member of the Splunk Community?

help regex

Observe and Secure All Apps with Splunk

What's New in Splunk Observability - August 2025

Introduction to Splunk AI