rex construction help

jossaq · ‎07-16-2013

Hi there I´m creating a REX to extract data from a raw field like this
2013-07-08T09:33:59.899088-05:00 10.27.253.125 553623: 2015101: Jul 8 10:00:01.474: %MAC_MOVE-SW1-4-NOTIF: Host 6c88.1468.b350 in vlan 592 is flapping between port Te1/7/2 and port Te1/7/1

with this expression
... | rex field=_raw "Host (?.) vlan (?.[0-9])" | chart c(hot) by hot

But in the "hot" extracted field appears "6c88.1468.b350 in"
I want to get rid of the " in" part so I can get 6c88.1468.b350

How can I make that?

51741854 · ‎12-14-2016

Hi there I want to extract carrier filed from a raw field like this : btw: the carrier filed is Indefinite number of times . How can i make it .
[{"carrier":"PR","depAirport":"CAN","depTime":"201703050605","arrAirport":"MNL","arrTime":"201703050740","stopCities":"","codeShare":false,"cabin":"O","aircraftCode":"","flightNumber":"PR383"},{"carrier":"PR","depAirport":"MNL","depTime":"201703051200","arrAirport":"MPH","arrTime":"201703051255","stopCities":"","codeShare":false,"cabin":"T","aircraftCode":"","flightNumber":"PR2041"}],"retSegments":[{"carrier":"PR","depAirport":"MPH","depTime":"201703111635","arrAirport":"MNL","arrTime":"201703111730","stopCities":"","codeShare":false,"cabin":"T","aircraftCode":"","flightNumber":"PR2054"},{"carrier":"PR","depAirport":"MNL","depTime":"201703120245","arrAirport":"CAN","arrTime":"201703120505","stopCities":"","codeShare":false,"cabin":"O","aircraftCode":"","flightNumber":"PR382"}]}}

Rob · ‎07-16-2013

Not sure if that regex string got formatted correctly, however, here is something that might work for you:

| rex field=_raw "Host (?<hot>\S+) in vlan (?<vlan>.[0-9]+)" | chart c(hot) by hot

rex construction help

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!