Re: help with a REGEX

extreme1 · ‎03-29-2013

I need help with a REGEX that needs to extract just fourth field in a line and nothing else.
The event looks like this:
Switch : 800471-00-04 1215G-04161 xxxxx xxxxx xxxx ........

Al I need is the "1215G-04161" portion of that line Can someone give me a quick regex for that?

Thanks!

eashwar · ‎03-30-2013

if you want the field for all events which start with the word Switch

EXTRACT-field4= (?i)Switch\s+:\s+\S+\s+(?P<4field>\S+-\S+)

eashwar · ‎04-02-2013

instead of 4field replace your own name! which you like to give

eashwar · ‎04-02-2013

index=main sourcetype="tcp-raw" | rex "(?i)Switch\s+:\s+\S+\s+(?P<4field>\S+-\S+)"

try this bro!!
consider voting if the answers helped you!!
thanks in advance!!
happy splunking,

extreme1 · ‎04-01-2013

Thanks. So what would the actual search look like?
==> index=main sourcetype="tcp-raw" | rex ????

martin_mueller · ‎03-29-2013

Assuming each field is a block of non-spaces, and assuming each field is separated by spaces, you can do this:

^(\S+\s+){3}(?<field4>\S+)

help with a REGEX

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation