Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

how to fetch the filed using regex

priyastalin
Explorer
‎03-09-2021 12:13 AM

Hi, @ITWhisperer @bowesmana @niketnilay 

@dmarling 

Could you Please help me with my doubt

Query:

"index=71412-cli sourcetype=show_interface | fields type interface operStatus |table type interface operStatus |search interface=port*"

output of the query

type                       interface
Port-channel     Port-channel1
Port-channel     Port-channel261
Port-channel     Port-channel100
Port-channel     Port-channel99.202
Port-channel     Port-channel99.200
Port-channel     Port-channel99.160
Port-channel     Port-channel99.159
Port-channel     Port-channel99.158
Port-channel    Port-channel99.157

I need to capture only the values after the Port-channel(99.157) from the interface column and create separate column to print only the ids of port-channel

Expected output

type                       interface                                  port-id
Port-channel     Port-channel1                          1
Port-channel     Port-channel261                     261
Port-channel     Port-channel100                    100
Port-channel     Port-channel99.202             99.202
Port-channel     Port-channel99.200             99.200
Port-channel     Port-channel99.160             99.160
Port-channel     Port-channel99.159             99.159
Port-channel     Port-channel99.158             99.158
Port-channel    Port-channel99.157              99.157

Please help me in solving this doubts

Thanks and regards,

Priya

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-09-2021 12:47 AM

Hi @priyastalin,

good for You!

Please, accept it for the other people of Community.

Ciao and Happy Splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎03-09-2021 12:19 AM

Hi @priyastalin,

try this regex

"index=71412-cli sourcetype=show_interface 
| rex field=interface "^Port-channel(?<port_id>.*)"
| table type interface  port_id

that you can test at https://regex101.com/r/XtkQiZ/1

Don't use "-" in the field name, but "_".

Ciao.

Giuseppe

Reply
Solved! Jump to solution

priyastalin
Explorer
‎03-09-2021 12:45 AM

Hi @gcusello,

Thank you so much for your input. Itworked fine

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-09-2021 12:47 AM

Hi @priyastalin,

good for You!

Please, accept it for the other people of Community.

Ciao and Happy Splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

Reply
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Get Updates on the Splunk Community!