Hi,
i have information like: "DESCRIPTION EMEA:GERMANY:FRANKFURT / client4711 / down"
where DESCRIPTION is a field, already. I would like to rex the information "client4711".
This should be done by rex all information which starts which "/" followed by one "blank" "client4711" one "blank" followed by "/".
Could you anwer my question, please?
Many thanks in advance.
floe.
Try this which will cover all clients, basically everything between blank and blank:
... | rex field=DESCRIPTION "\/\s(?<client>\S+)\s\/" | ...
Try this which will cover all clients, basically everything between blank and blank:
... | rex field=DESCRIPTION "\/\s(?<client>\S+)\s\/" | ...
Many thanks. Looks better 🙂
i see some clients, now. Unfortunately, if a client includes one or more "-" splunk doesn't extract the information.
Example:
client4711- works 🙂
client8888 - works 🙂
client-4711 splunk doesn't extract the information
client-47-12-21 splunk doesn't extract the information
Is there a way to tell rex "extract everything between /blank /blank?
Many thanks in advance
floe.
Try this:
... | rex field=DESCRIPTION "\/\s(?<client>\w+)\s\/" | ...
Here's an update based on your comment.
... | rex field=DESCRIPTION "\/\s(?<client>[^\s]+)\s\/" | ...