regex need help separating each row and creating f...

thaghost99 · ‎02-28-2024

Hi i would like some help to extract each line of data into separate fields of Name, ID, Speed & duplex, state, mac address.

critical that "state" is its own field.

getting stuck and need help. thank you

Data below

name                    id    speed/duplex/state            mac address
--------------------------------------------------------------------------------
ethernet1/3             66    1000/full/up                  b6:2c:23:e0:40:42
ethernet1/4             67    1000/full/up                 b6:2c:23:e0:40:43
ethernet1/5             68    10000/full/up                 b6:2c:23:e0:40:44
ethernet1/6             69    10000/full/up                 b6:2c:23:e0:40:45
ethernet1/7             70    10000/full/up                 b6:2c:23:e0:40:46
ethernet1/8             71    10000/full/up                 b6:2c:23:e0:40:47
ae1                     16    [n/a]/[n/a]/up                b6:2c:23:e0:40:10
ae2                     17    [n/a]/[n/a]/up                b6:2c:23:e0:40:11
ha1-a                   5     1000/full/up                  d1:f4:b3:c3:25:97
ha1-b                   7     1000/full/up                  d1:f4:b3:c3:25:96
vlan                    1     [n/a]/[n/a]/up                b6:2c:23:e0:40:01
loopback                3     [n/a]/[n/a]/up                b6:2c:23:e0:40:03
tunnel                  4     [n/a]/[n/a]/up                b6:2c:23:e0:40:04
hsci                    8     40000/full/up                 01:20:6c:1c:81:08

any help will be appreciated. thanks,

richgalloway · ‎02-28-2024

Does it have to be regex? I'm a big fan of them, but this problem looks like it's made for multikv.

---
If this reply helps you, Karma would be appreciated.

thaghost99 · ‎02-28-2024

@richgalloway

hi Rich are you able to do multikv help on this one?

richgalloway · ‎02-29-2024

Yes, I can help, but it's also in the manual.

| multikv forceheader=1

---
If this reply helps you, Karma would be appreciated.

thaghost99 · ‎02-28-2024

no it does not have to be. its whatever works. 😃

thaghost99 · ‎02-28-2024

hi @jotne it works great, just small favor. how do i stop it if it sees the below line 'aggregation groups'? with data below? cause its also capturing that part, but the rest is great. ty

name                    id    speed/duplex/state            mac address
--------------------------------------------------------------------------------
ethernet1/3             66    1000/full/up                  b6:2c:23:e0:40:42
ethernet1/4             67    1000/full/up                 b6:2c:23:e0:40:43
ethernet1/5             68    10000/full/up                 b6:2c:23:e0:40:44
ethernet1/6             69    10000/full/up                 b6:2c:23:e0:40:45
ethernet1/7             70    10000/full/up                 b6:2c:23:e0:40:46
ethernet1/8             71    10000/full/up                 b6:2c:23:e0:40:47
ae1                     16    [n/a]/[n/a]/up                b6:2c:23:e0:40:10
ae2                     17    [n/a]/[n/a]/up                b6:2c:23:e0:40:11
ha1-a                   5     1000/full/up                  d1:f4:b3:c3:25:97
ha1-b                   7     1000/full/up                  d1:f4:b3:c3:25:96
vlan                    1     [n/a]/[n/a]/up                b6:2c:23:e0:40:01
loopback                3     [n/a]/[n/a]/up                b6:2c:23:e0:40:03
tunnel                  4     [n/a]/[n/a]/up                b6:2c:23:e0:40:04
hsci                    8     40000/full/up                 01:20:6c:1c:81:08

aggregation groups: 0

jotne · ‎02-28-2024

You could do that with a search command like this:

| search NOT "aggregation"

Or

| search id=*

jotne · ‎02-28-2024

Here you go:

(?<name>\S+)\s+(?<id>\d+)\s+(?<speed>[^\/]+)\/(?<duplex>[^\/]+)\/(?<state>\S+)\s+(?<mac>\S+)

https://regex101.com/r/99K6Do/1

regex need help separating each row and creating fields

table

Introducing the Splunk Community Dashboard Challenge!

Get the T-shirt to Prove You Survived Splunk University Bootcamp

Wondering How to Build Resiliency in the Cloud?