Solved: Can you help me use regex to extract fields that c...

lucien62 · ‎01-29-2019

Hello Splunk,

I have the following raw log lines:

1 2019-01-29T15:44:41.184068+00:00 xxx vpxd 4566 - -  Event [5650552] [1-1] [2019-01-29T15:44:41.182223Z] [vim.event.VmMigratedEvent] [info] [] [x - x] [5650175] [Migration of virtual machine vm1 from host1, ds_SSD_001 to host1, ds_SSD_002 completed]

I'm trying to find all log entries where both fields containing SSD (ds_SSD_001, or ds_SSD_002,or ds_SSD_00x) are different.

(This basically means that one VM has moved from one datastore to another)

I figured I should be using rex to extract the 2 occurrences of SSD and compare them | where field1 != field2

I can't manage to find the regex code to extract these fields (I'm very new to regex...)

chrisyounger · ‎01-29-2019

Try this Migration of .*, (?<store1>\S+).*, (?<store2>\S+)

https://regex101.com/r/IFFrB3/1

You can use this like so
You search | rex "Migration of .*, (?<store1>\S+).*, (?<store2>\S+)" | table store1 store2

View solution in original post

chrisyounger · ‎01-29-2019

Try this Migration of .*, (?<store1>\S+).*, (?<store2>\S+)

https://regex101.com/r/IFFrB3/1

You can use this like so
You search | rex "Migration of .*, (?<store1>\S+).*, (?<store2>\S+)" | table store1 store2

Can you help me use regex to extract fields that contain 'ssd'?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor