I'm trying to create a regex so that I can pull a string of numbers out of a log file.
I can limit my search so that only the specific log files appear, but when I do the interactive field extraction other files show up for some reason...
I have a log file that says "DataX Entry GB= 5123521 Data Entry GB=1265649"
I would like a field in Splunk that just has "1265649" in it for each log entry. Sometimes the number will be more or less digits. I tried making a regex that simply returned a string of numbers after "Data Entry GB=", but that didn't work.
Thanks!
Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:
<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"
Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.
Sorry, I forgot that part. I was using (?=Free Memory KB=)[0-9]+\b
I guess the lookahead method didn't work as the other reply did work for me.
Thanks for your help!
Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:
<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"
Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.
Can you post the regular expression you tried? Saying that it "didn't work" is rather open-ended. Note that the markup here will require you to double all of your \ (as in \d, etc).