Splunk Search

how to extract the below words from a log

umsundar2015
Path Finder

Hi,

I have following sample log string ,

May 13 14:20:32 pcpsd1sb.smart.net 318324: May 13 14:20:31.282 EDT: %CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on GigabitEthernet7/6 (not half duplex), with RDCBKL1LSW1 FastEthernet0/24 (half duplex).

In this i need to get
1. pcpsd1sb.smart.net
2. GigabitEthernet7/6 alone in different fields.
But in future there might be change in logs based on different settings.

Requirement :
I need to extract the words in these places and create two new fields .

Regards,
sundar

Tags (2)
0 Karma
1 Solution

dineshraj9
Builder

You need to find a starting pattern match and extract these fields. Here timestamp is match for field1 and text "discovered on" for field2 -

<base search> | rex "(\d{2}\:){2}\d{2}(?<field1>[^\s]+)"
| rex "discovered\s+on\s+(?<field2>[^\s]+)"

View solution in original post

0 Karma

dineshraj9
Builder

You need to find a starting pattern match and extract these fields. Here timestamp is match for field1 and text "discovered on" for field2 -

<base search> | rex "(\d{2}\:){2}\d{2}(?<field1>[^\s]+)"
| rex "discovered\s+on\s+(?<field2>[^\s]+)"
0 Karma

umsundar2015
Path Finder

Thank you dineshraj9

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...