Hey everyone, I am trying to get a rex written that will suck out a few key items from data that I'm taking into splunk. Here's an example of the lines from the event that I'm interested in:
Key: User License - 23 out of 100 used
Key: Group License - 21 out of 2147483647 used
Key: maxTrunkGroupCallCapacity - 0 out of 50 used
Now, the numbers I'm interested in getting out of each of these lines are the User license count, the group license count, and the trunk call capacity, as well as the purchased license count. What I think makes this difficult is that the numbers aren't zero padded, which in posix regex makes it harder. The numbers can change depending on what each server's license allows for. I'm still learning PCRE. Could anyone give me a hand writing a rex to grab these values?
Thanks!
Hey Msarro,
Have you tried using the Interactive Field Extractor?
Maybe look Here.
This is a great tool, especially for us who are hesitant in out abilities with regex.
Zero padding should not matter, you will probably be using "\d" for digits, and just throwing on a + will give you "one or more times", thus,
\d+
means 1 or more digits. For example it would match 0, 02312300123, or 23.
Either way, starting with the IFE to give you a good guess at the regex and then all that matters is making sure you understand what Splunk is saying with the regex it generates and editing it if you notice and errors.
GL!
The v4.2 Interactive Field Extractor sucks IMO. Highly recommend using something like RegEx Buddy or RegEx Magic. They are cheap apps but really make short work of regex's.
I actually tried it. After using it on 23 and 100 it worked fine. However on 21 it choked and couldn't locate the field.