Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Fields from unstructured data (rex help)

msarro
Builder
‎04-07-2011 06:49 PM

Hey everyone, I am trying to get a rex written that will suck out a few key items from data that I'm taking into splunk. Here's an example of the lines from the event that I'm interested in:

Key: User License - 23 out of 100 used
Key: Group License - 21 out of 2147483647 used
Key: maxTrunkGroupCallCapacity - 0 out of 50 used

Now, the numbers I'm interested in getting out of each of these lines are the User license count, the group license count, and the trunk call capacity, as well as the purchased license count. What I think makes this difficult is that the numbers aren't zero padded, which in posix regex makes it harder. The numbers can change depending on what each server's license allows for. I'm still learning PCRE. Could anyone give me a hand writing a rex to grab these values?

Thanks!

Tags (2)
0 Karma
Reply

proctorgeorge
Path Finder
‎04-07-2011 07:31 PM

Hey Msarro,

Have you tried using the Interactive Field Extractor?

Maybe look Here.

This is a great tool, especially for us who are hesitant in out abilities with regex.

Zero padding should not matter, you will probably be using "\d" for digits, and just throwing on a + will give you "one or more times", thus,

\d+

means 1 or more digits. For example it would match 0, 02312300123, or 23.

Either way, starting with the IFE to give you a good guess at the regex and then all that matters is making sure you understand what Splunk is saying with the regex it generates and editing it if you notice and errors.

GL!

0 Karma
Reply

netwrkr
Communicator
‎04-07-2011 08:03 PM

The v4.2 Interactive Field Extractor sucks IMO. Highly recommend using something like RegEx Buddy or RegEx Magic. They are cheap apps but really make short work of regex's.

0 Karma
Reply

msarro
Builder
‎04-07-2011 07:34 PM

I actually tried it. After using it on 23 and 100 it worked fine. However on 21 it choked and couldn't locate the field.

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...