I have a field called "M" and some of the values are as follows:
"Panorama push to device:013101010578 for device-group: Durham_IPV6_INET_SVCS succeeded. JobId=2480530"
"Panorama push to device:007257000068919 for device-group: Azure-China-Internet-North succeeded. JobId=2480524"
"Panorama push to device:016401009013 for device-group: Austin_Experience_Lounge succeeded. JobId=2480530"
How can I extract just the first string in between each "....device-group: *** succeeded. ....", where *** represents the respective value to be extracted. In the case of the above 3 examples, the 3 values extracted are "Durham_IPV6_INET_SVCS", "Azure-China-Internet-North" and "Austin_Experience_Lounge" respectively.
I tried using the following Splunk command but got no success :face_with_rolling_eyes::
|rex "body\s(?<portNumber>\d+)\s"
I appreciate any help on this regex issue. Thanks,
At search time, use the rex command to extract the device-group value.
| rex field=M "device-group:\s*(?<deviceGroup>.+?) succeeded"