Hi,
For given sample data set, how can I extract all the numbers (will be always 3 digits) from desc?
| makeresults
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down"
| append
[| makeresults
| eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"]
| append
[| makeresults
| eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"]
| append
[| makeresults
| eval desc="All devices at 456 London, England are alerting as down and unreachable"]
| append
[| makeresults
| eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]
output required:
can you please suggest regex I can use for the same?
Thank you.
Can you please try the below search?
YOUR_SEARCH
| rex field=desc "(?<loc>\d+)" max_match=0
| eval loc = mvjoin(loc,",")
My Sample Search :
| makeresults
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down"
| append
[| makeresults
| eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"]
| append
[| makeresults
| eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"]
| append
[| makeresults
| eval desc="All devices at 456 London, England are alerting as down and unreachable"]
| append
[| makeresults
| eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]
| rex field=desc "(?<loc>\d+)" max_match=0
| eval loc = mvjoin(loc,",")
|table loc
I hope this will help you.
Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.
thanks @kamlesh_vaghela and @ITWhisperer for prompt response. worked like a charm.
| makeresults
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down"
| append
[| makeresults
| eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"]
| append
[| makeresults
| eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"]
| append
[| makeresults
| eval desc="All devices at 456 London, England are alerting as down and unreachable"]
| append
[| makeresults
| eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]
| rex max_match=0 field=desc "(?<loc>\d{3})"
| eval loc=mvjoin(loc,",")
Can you please try the below search?
YOUR_SEARCH
| rex field=desc "(?<loc>\d+)" max_match=0
| eval loc = mvjoin(loc,",")
My Sample Search :
| makeresults
| eval desc="Frankfurt (123) & Saarbrucken (456), Germany - Primary down / Secondary down"
| append
[| makeresults
| eval desc="Frankfurt (123), Saarbrucken (456), Frankfurt Zeil (789) & Kaiserslautern (012), Germany - Primary up / Secondary up"]
| append
[| makeresults
| eval desc="Test - Creteil - (123) - France - Primary Up // Secondary Up"]
| append
[| makeresults
| eval desc="All devices at 456 London, England are alerting as down and unreachable"]
| append
[| makeresults
| eval desc="Test - 123-Clonmel ( Ireland) - Primary DOWN / Secondary UP/ Switch UP"]
| rex field=desc "(?<loc>\d+)" max_match=0
| eval loc = mvjoin(loc,",")
|table loc
I hope this will help you.
Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.