Can u help we with below.
I would like to create regular expression to extract a particular field from comma separated log entry regardless of its length.
Log entry sample
2017-02-21 14:25:59,2017-02-21 14:25:59,0.000,101.214.24.6,17.28.191.41,45604,22,TCP,.A....,0,0,1,52,0,0,151129516,151129615,0,0,0,0,0,0,72.128.190.41,0.0.0.0,0,0,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,00:00:00:00:00:00,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0,0-0-0, 0.000, 0.000, 0.000,**72.128.157.2**,1/2,2,2017-02-21 14:26:00.535
Above log entry is a single linke and has multiple fields which is is comma separated. I would like to extract the field which is marked in BOLD. That is next hop IP for netflow logs.
Basically i would like to only extract the '45th' field in this log entry, regardless of variable data lengths from each fields or type of data.
Can u pls help. I tried while extracting fields and let splunk to do it, but when the data size varies, splunk fails to detect certain fields.
↧