Re: help with a REGEX

extreme1 · ‎03-29-2013

I need help with a REGEX that needs to extract just fourth field in a line and nothing else.
The event looks like this:
Switch : 800471-00-04 1215G-04161 xxxxx xxxxx xxxx ........

Al I need is the "1215G-04161" portion of that line Can someone give me a quick regex for that?

Thanks!

eashwar · ‎03-30-2013

if you want the field for all events which start with the word Switch

EXTRACT-field4= (?i)Switch\s+:\s+\S+\s+(?P<4field>\S+-\S+)

eashwar · ‎04-02-2013

instead of 4field replace your own name! which you like to give

eashwar · ‎04-02-2013

index=main sourcetype="tcp-raw" | rex "(?i)Switch\s+:\s+\S+\s+(?P<4field>\S+-\S+)"

try this bro!!
consider voting if the answers helped you!!
thanks in advance!!
happy splunking,

extreme1 · ‎04-01-2013

Thanks. So what would the actual search look like?
==> index=main sourcetype="tcp-raw" | rex ????

martin_mueller · ‎03-29-2013

Assuming each field is a block of non-spaces, and assuming each field is separated by spaces, you can do this:

^(\S+\s+){3}(?<field4>\S+)

help with a REGEX

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Join the Conversation