Hello,
I am trying to come up with the splunk search command that I need to extract a number, which is not indexed. I need to extract the number after the "balance" word below.
2013-01-29 11:43:48,163 level=INFO Running http request with balance 115076
So I put in my Splunk index the "http request", and I get all the matches for "http request"
and I only care to show the balances that are bigger than 1,000.
I have been doing a lot of research, but I haven't found anything that actually does what I am trying to do regex but I haven't been successful. Any help, any pointers, greatly appreciated.
This is pretty quick and dirty, but it should work:
{search criteria} | rex field=_raw ".*balance +(?<number>[0-9]+)" | search number>1000
I think there are many ways to extract the values you're looking forward to extract, but, I imagine that the better way is to create new field due to the easiest way to work with that on future queries. Extract that perhaps with IFX and carry on being creative with Splunk.
Have you thought about extracting balance as a field? Then you can run a report based on that and another field?
to extract that field, search Splunk for "http request" for a short period of time. Then click the blue arrow in the results and go to extract fields. In the example box, put a few of the balance numbers and tell it to run with that. Name the field "balances"
then you can run a report like this:
http request | top 50 balances by (insert another searcher here, like IP, URL, Time, anything you like really)
I tried doing that, but for this particular case it didn't for some reason showed the blue arrow next to the balance, I noticed it mostly did it for anything that had a "=" sign in it. Not for this case though.
This is pretty quick and dirty, but it should work:
{search criteria} | rex field=_raw ".*balance +(?<number>[0-9]+)" | search number>1000
No problem... you might also consider adding the extraction to your local/props.conf file so that the extractions happen automatically:
EXTRACT-number = .*balance +(<number>[0-9]+)
then your search would simply be
{existing search criteria} number>1000
Read up on EXTRACT at http://docs.splunk.com/Documentation/Splunk/latest/admin/propsconf
Thanks so much Jeff, that worked beautifully. I will learn from your answer and build on it. Thanks again!