- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- New to splunk and looking for a way to extract val...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to come up with the splunk search command that I need to extract a number, which is not indexed. I need to extract the number after the "balance" word below.
2013-01-29 11:43:48,163 level=INFO Running http request with balance 115076
So I put in my Splunk index the "http request", and I get all the matches for "http request"
and I only care to show the balances that are bigger than 1,000.
I have been doing a lot of research, but I haven't found anything that actually does what I am trying to do regex but I haven't been successful. Any help, any pointers, greatly appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is pretty quick and dirty, but it should work:
{search criteria} | rex field=_raw ".*balance +(?<number>[0-9]+)" | search number>1000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think there are many ways to extract the values you're looking forward to extract, but, I imagine that the better way is to create new field due to the easiest way to work with that on future queries. Extract that perhaps with IFX and carry on being creative with Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you thought about extracting balance as a field? Then you can run a report based on that and another field?
to extract that field, search Splunk for "http request" for a short period of time. Then click the blue arrow in the results and go to extract fields. In the example box, put a few of the balance numbers and tell it to run with that. Name the field "balances"
then you can run a report like this:
http request | top 50 balances by (insert another searcher here, like IP, URL, Time, anything you like really)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried doing that, but for this particular case it didn't for some reason showed the blue arrow next to the balance, I noticed it mostly did it for anything that had a "=" sign in it. Not for this case though.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This is pretty quick and dirty, but it should work:
{search criteria} | rex field=_raw ".*balance +(?<number>[0-9]+)" | search number>1000
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
No problem... you might also consider adding the extraction to your local/props.conf file so that the extractions happen automatically:
EXTRACT-number = .*balance +(<number>[0-9]+)
then your search would simply be
{existing search criteria} number>1000
Read up on EXTRACT at http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks so much Jeff, that worked beautifully. I will learn from your answer and build on it. Thanks again!
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
