Need help on Regex to extract

sekhar463 · ‎02-24-2023

hi all,

how to extract this message bgp_connect_start: connect 2403:df40:0:16::3 (Internal AS 14630) (instance master): No route to host as new fields as BGP connection fields

BGP_CONNECT_FAILED: bgp_connect_start: connect 2403:df40:0:16::3 (Internal AS 14630) (instance master): No route to host

gcusello · ‎02-24-2023

Hi @sekhar463,

could you share your full log?

the regex for the log you shared could be:

| rex "BGP_CONNECT_FAILED: (?<BGP_connection>.*)"

that you can test at https://regex101.com/r/4s62eG/1

but to be more sure I nned the full log.

Ciao.

Giuseppe

sekhar463 · ‎02-26-2023

Thank you its working manually.

how to add automatically for a source type.

i have added the regex in the field extractor but not getting field populated while searching with the sourcetype

gcusello · ‎02-27-2023

Hi @sekhar463,

you can automatically extract the field using the Field Extractor or the [Settings > Fields > ield Extraction > new Field] (in this case you have to identify the sourcetype for the Field Extractioj.

Ciao.

Giuseppe

sekhar463 · ‎02-27-2023

yes i did the same and i have given below regex.

but still not reflecting in the search data

gcusello · ‎02-27-2023

Hi @sekhar463,

check the sourcetype and wait some minute before testing the field extraction, it isn't immediate.

Ciao.

Giuseppe

Need help on Regex to extract

field extraction

Your Guide to SPL2 at .conf24!

Get ready to show some Splunk Certification swagger at .conf24!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...