Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex for source target

indeed_2000
Motivator
‎07-15-2021 12:57 PM

Hi

here is my log:

2020-01-19 13:20:15,093 INFO ABC.InEE-Product-00000 [MyProcessor] Detail Packet: M[000] T[111] P[0A0000] AT[00] R[0000] TA[ABC.OutEE-Product] Status[OUT-LOGOUT,EXIT]

2020-01-19 13:36:08,185 INFO ABC.InEP-Product-00000 [MyProcessor] Detail Packet Lost: M[000] T[111] SA[ABC.InEE-Product]  R[0000]

 

what is the rex for

SOURCE=ABC.InEE-Product

TARGET=ABC.OutEE-Product

Model=000

Tip=111

POD=0A0000

 

any idea?

Thanks,

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-15-2021 05:08 PM

Hi @indeed_2000 

You need two different rex as second event is little bit different from first you don't have every field there, see if you can merge them together.

 

| rex "\d+:\d+:\d+\,\d+\s+\w+\s+(?<SOURCE>\S+).+M\[(?<MODEL>[^\]]+)\]\s+T\[(?<TIP>[^\]]+)\]\s+P\[(?<POD>[^\]]+).+?TA\[(?<TARGET>[^\]]+)\]" 
| rex "\d+:\d+:\d+\,\d+\s+\w+\s+(?<SOURCE>\S+).+M\[(?<MODEL>[^\]]+)\]\s+T\[(?<TIP>[^\]]+)\]\s+SA\[(?<SOURCE>[^\]]+)"

 

 POD , TARGET missing in your second event.

---

An upvote would be appreciated and Accept solution if this reply helps! 

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-15-2021 05:08 PM

Hi @indeed_2000 

You need two different rex as second event is little bit different from first you don't have every field there, see if you can merge them together.

 

| rex "\d+:\d+:\d+\,\d+\s+\w+\s+(?<SOURCE>\S+).+M\[(?<MODEL>[^\]]+)\]\s+T\[(?<TIP>[^\]]+)\]\s+P\[(?<POD>[^\]]+).+?TA\[(?<TARGET>[^\]]+)\]" 
| rex "\d+:\d+:\d+\,\d+\s+\w+\s+(?<SOURCE>\S+).+M\[(?<MODEL>[^\]]+)\]\s+T\[(?<TIP>[^\]]+)\]\s+SA\[(?<SOURCE>[^\]]+)"

 

 POD , TARGET missing in your second event.

---

An upvote would be appreciated and Accept solution if this reply helps! 

Reply
Solved! Jump to solution

codebuilder
Influencer
‎07-15-2021 01:11 PM

Have you tried using erex to build the regex for you? It's very handy.

https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Erex

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...