Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex for source target

indeed_2000
Motivator
‎07-15-2021 12:57 PM

Hi

here is my log:

2020-01-19 13:20:15,093 INFO ABC.InEE-Product-00000 [MyProcessor] Detail Packet: M[000] T[111] P[0A0000] AT[00] R[0000] TA[ABC.OutEE-Product] Status[OUT-LOGOUT,EXIT]

2020-01-19 13:36:08,185 INFO ABC.InEP-Product-00000 [MyProcessor] Detail Packet Lost: M[000] T[111] SA[ABC.InEE-Product]  R[0000]

 

what is the rex for

SOURCE=ABC.InEE-Product

TARGET=ABC.OutEE-Product

Model=000

Tip=111

POD=0A0000

 

any idea?

Thanks,

Labels (2)
Labels
Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-15-2021 05:08 PM

Hi @indeed_2000 

You need two different rex as second event is little bit different from first you don't have every field there, see if you can merge them together.

 

| rex "\d+:\d+:\d+\,\d+\s+\w+\s+(?<SOURCE>\S+).+M\[(?<MODEL>[^\]]+)\]\s+T\[(?<TIP>[^\]]+)\]\s+P\[(?<POD>[^\]]+).+?TA\[(?<TARGET>[^\]]+)\]" 
| rex "\d+:\d+:\d+\,\d+\s+\w+\s+(?<SOURCE>\S+).+M\[(?<MODEL>[^\]]+)\]\s+T\[(?<TIP>[^\]]+)\]\s+SA\[(?<SOURCE>[^\]]+)"

 

 POD , TARGET missing in your second event.

---

An upvote would be appreciated and Accept solution if this reply helps! 

View solution in original post

Reply
Solved! Jump to solution
Solution

venkatasri
SplunkTrust
SplunkTrust
‎07-15-2021 05:08 PM

Hi @indeed_2000 

You need two different rex as second event is little bit different from first you don't have every field there, see if you can merge them together.

 

| rex "\d+:\d+:\d+\,\d+\s+\w+\s+(?<SOURCE>\S+).+M\[(?<MODEL>[^\]]+)\]\s+T\[(?<TIP>[^\]]+)\]\s+P\[(?<POD>[^\]]+).+?TA\[(?<TARGET>[^\]]+)\]" 
| rex "\d+:\d+:\d+\,\d+\s+\w+\s+(?<SOURCE>\S+).+M\[(?<MODEL>[^\]]+)\]\s+T\[(?<TIP>[^\]]+)\]\s+SA\[(?<SOURCE>[^\]]+)"

 

 POD , TARGET missing in your second event.

---

An upvote would be appreciated and Accept solution if this reply helps! 

Reply
Solved! Jump to solution

codebuilder
Influencer
‎07-15-2021 01:11 PM

Have you tried using erex to build the regex for you? It's very handy.

https://docs.splunk.com/Documentation/Splunk/8.2.1/SearchReference/Erex

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...