Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

RegEx help in filtering values for splunk dashboard

jerinvarghese
Communicator
‎04-01-2020 04:22 AM

Hi all,

I have an output..

ISIS: Adjacency to IDCSO-WANRTC001 (FastEthernet0/0/0) Down, bfd neighbor down
ISIS: Adjacency to IDCSO-WANRTC001 (FastEthernet0/0/0) Up, new adjacency

COde currently am using.

index=nw_syslog "*CLNS-5-ADJCHANGE*"
| rename _time as Time_CST
| fieldformat Time_CST=strftime(Time_CST,"%x %X")
| dedup hostname, message
| table hostname, Time_CST, message

Output:

hostname    Time_CST    message
idpbv   03/31/20 06:24:32   ISIS: Adjacency to IDCSO (FastEthernet0/0/0) Down, bfd neighbor down
idpbv   03/31/20 06:24:33   ISIS: Adjacency to IDCSO (FastEthernet0/0/0) Up, new adjacency
idpbv   03/31/20 06:26:32   ISIS: Adjacency to IDCSO (FastEthernet0/2/0) Down, bfd neighbor down
idpbv   03/31/20 06:26:54   ISIS: Adjacency to IDCSO (FastEthernet0/2/0) Up, new adjacency

Expected output By using Regex.

hostname    Time_CST    Interface   Status  Count
idpbv   3/31/2020 6:24  FastEthernet0/0/0   UP  2
idpbv   3/31/2020 6:26  FastEthernet0/2/0   UP  2
Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vnravikumar
Champion
‎04-01-2020 04:59 AM

Hi

Check this

| makeresults 
| eval temp="ISIS: Adjacency to IDCSO (FastEthernet0/0/0) Down, bfd neighbor down#ISIS: Adjacency to IDCSO (FastEthernet0/0/0) Up, new adjacency#ISIS: Adjacency to IDCSO (FastEthernet0/2/0) Down, bfd neighbor down#ISIS: Adjacency to IDCSO (FastEthernet0/2/0) Up, new adjacency" 
| eval message = split(temp,"#") 
| mvexpand message 
| rex field=message "\((?P<interface>[^)]+)\)\s+(?P<status>[^,]+)" |table message interface status

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

vnravikumar
Champion
‎04-01-2020 04:59 AM

Hi

Check this

| makeresults 
| eval temp="ISIS: Adjacency to IDCSO (FastEthernet0/0/0) Down, bfd neighbor down#ISIS: Adjacency to IDCSO (FastEthernet0/0/0) Up, new adjacency#ISIS: Adjacency to IDCSO (FastEthernet0/2/0) Down, bfd neighbor down#ISIS: Adjacency to IDCSO (FastEthernet0/2/0) Up, new adjacency" 
| eval message = split(temp,"#") 
| mvexpand message 
| rex field=message "\((?P<interface>[^)]+)\)\s+(?P<status>[^,]+)" |table message interface status
0 Karma
Reply
Solved! Jump to solution

jerinvarghese
Communicator
‎04-01-2020 09:18 AM

the regexworks

| rex field=message "((?P[^)]+))\s+(?P[^,]+)" |table message interface status

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...