Splunk Search

Return string of numbers after equals sign

AlexMcDuffMille
Communicator

I'm trying to create a regex so that I can pull a string of numbers out of a log file.

I can limit my search so that only the specific log files appear, but when I do the interactive field extraction other files show up for some reason...

I have a log file that says "DataX Entry GB= 5123521 Data Entry GB=1265649"

I would like a field in Splunk that just has "1265649" in it for each log entry. Sometimes the number will be more or less digits. I tried making a regex that simply returned a string of numbers after "Data Entry GB=", but that didn't work.

Thanks!

0 Karma
1 Solution

jhupka
Path Finder

Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:

<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"

Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.

View solution in original post

AlexMcDuffMille
Communicator

Sorry, I forgot that part. I was using (?=Free Memory KB=)[0-9]+\b

I guess the lookahead method didn't work as the other reply did work for me.

Thanks for your help!

0 Karma

jhupka
Path Finder

Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:

<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"

Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.

sowings
Splunk Employee
Splunk Employee

Can you post the regular expression you tried? Saying that it "didn't work" is rather open-ended. Note that the markup here will require you to double all of your \ (as in \d, etc).

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...