Splunk - How to use Regex in searches
Regex to extract fields
| rex field=_raw "port (?<port>.+)\."
_raw
The source to apply the regular expression to. This is a Splunk extracted field.
left side of ()
The left side of what you want stored as a variable. Anything here will not be captured and stored into the variable. Everything here is still a regular expression.
right side of ()
The right side of what you want stored as a variable. Anything here will not be captured and stored into the variable. Everything here is still a regular expression. Because “\.” is outside of the parentheses to the right, it denotes the period ends the expression, and should not be included in the variable.
?\<port\>
Store captured regex in variable “port”.
.+
Regex to capture and save in the variable. In this case, an unlimited amount of characters until the end of the line.
Putting it all together
Say you have _raw data equal to the following
Jun 24 14:03:43 %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address d000.e223.9898 on port GigabitEthernet1/0/23.
and a search of
%PORT_SECURITY-2-PSECURE_VIOLATION | transaction fields=host | rex field=_raw "port (?<port>.+)\." | table _time,host,port
Your output will be
| _time | host | port |
|---|---|---|
| 2014-06-24 14:03:44 | 8.8.8.8 | GigabitEthernet1/0/23 |