How to use Regex in Splunk searches

Regex to extract fields # 

| rex field=_raw "port (?<port>.+)\."

_raw

The source to apply the regular expression to. This is a Splunk extracted field.

left side of ()

The left side of what you want stored as a variable. Anything here will not be captured and stored into the variable. Everything here is still a regular expression.

right side of ()

The right side of what you want stored as a variable. Anything here will not be captured and stored into the variable. Everything here is still a regular expression. Because “.” is outside of the parentheses to the right, it denotes the period ends the expression, and should not be included in the variable.

?<port>

Store captured regex in variable “port”.

.+

Regex to capture and save in the variable. In this case, an unlimited amount of characters until the end of the line.

Putting it all together #

Say you have _raw data equal to the following

Jun 24 14:03:43  %PORT_SECURITY-2-PSECURE_VIOLATION:  Security violation occurred, caused by MAC address d000.e223.9898 on port GigabitEthernet1/0/23.

and a search of

%PORT_SECURITY-2-PSECURE_VIOLATION | transaction fields=host | rex field=_raw "port (?<port>.+)\." | table _time,host,port

Your output will be

_time host port
2014-06-24 14:03:44 8.8.8.8 GigabitEthernet1/0/23
 
189
Kudos
 
189
Kudos

Now read this

Splunk - Diff examples and One-Way diff

Splunk’s ‘set’ command will allow you to ‘diff’ two result sets. What this means is that say you have two sets: Set A: “event1 event2 event3” Set B: “event2 event3 event4” Splunk will tell you all the differences that occur between these... Continue →