Splunk Search

How do I create this IFX or rex in this case?

dfigurello
Communicator

Hello Splunkers,

I Have syslog log in my splunk index, for example:

2014-01-13 23:59:59 Local7.Error 172.16.80.21 10505: Jan 14 01:59:58.377: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on FastEthernet0/45.

I want create a field called MSG, in this field will contains: "Loop-back detected on FastEthernet0/45."

Other examples:

2014-01-13 23:59:56 Local2.Info 192.168.116.4 339677: Jan 13 23:59:55: %PIM-6-INVALID_RP_JOIN: Received (*, 224.0.1.40) Join from 192.168.16.2 for invalid RP 192.168.116.1

MSG= Received (*, 224.0.1.40) Join from 192.168.16.2 for invalid RP 192.168.116.1

The value MSG will be every character after ":" .

Tks splunkers.

Tags (3)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

I would suggest

... | rex ":\s+(?<MSG>[^:]+)$"

or in props.conf (which is where your IFX extractions will end up);

[your_sourcetype]
EXTRACT-my_msg = :\s+(?<MSG>[^:]+)$

/K

View solution in original post

kristian_kolb
Ultra Champion

I would suggest

... | rex ":\s+(?<MSG>[^:]+)$"

or in props.conf (which is where your IFX extractions will end up);

[your_sourcetype]
EXTRACT-my_msg = :\s+(?<MSG>[^:]+)$

/K

dfigurello
Communicator

Tks kristian.kolb.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...