- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
help with a REGEX
I need help with a REGEX that needs to extract just fourth field in a line and nothing else.
The event looks like this:
Switch : 800471-00-04 1215G-04161 xxxxx xxxxx xxxx ........
Al I need is the "1215G-04161" portion of that line Can someone give me a quick regex for that?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
if you want the field for all events which start with the word Switch
EXTRACT-field4= (?i)Switch\s+:\s+\S+\s+(?P<4field>\S+-\S+)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
instead of 4field replace your own name! which you like to give
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=main sourcetype="tcp-raw" | rex "(?i)Switch\s+:\s+\S+\s+(?P<4field>\S+-\S+)"
try this bro!!
consider voting if the answers helped you!!
thanks in advance!!
happy splunking,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. So what would the actual search look like?
==> index=main sourcetype="tcp-raw" | rex ????
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming each field is a block of non-spaces, and assuming each field is separated by spaces, you can do this:
^(\S+\s+){3}(?<field4>\S+)
