Solved: Table query

ltalhouarne · ‎03-11-2016

I cannot seem to find the right query for getting the following (table):

Time | field 1 | field 2 | field 3

2016-03-11 11:18:45 | 01 | 02 | 03

from:

"Got an error: 010203"

This is what I have tried so far:

rex "Got an error: (?<field1>(01))(?<field2>(02))(?<field3>(03)) | table _time field1 field2 field3

Richfez · ‎03-11-2016

The rex you'll want would be

| rex "Got an error:\s+(?<field1>\d{2})(?<field2>\d{2})(?<field3>\d{2})"

Those are \d for digit, {2} exactly two of them.

Like in this run-anywhere example:

| gentimes start=3/1/2016 end=3/2/2016 | eval test="Got an error: 010203" | rex field=test "Got an error:\s+(?<field1>\d{2})(?<field2>\d{2})(?<field3>\d{2})"

View solution in original post

Richfez · ‎03-11-2016

The rex you'll want would be

| rex "Got an error:\s+(?<field1>\d{2})(?<field2>\d{2})(?<field3>\d{2})"

Those are \d for digit, {2} exactly two of them.

Like in this run-anywhere example:

| gentimes start=3/1/2016 end=3/2/2016 | eval test="Got an error: 010203" | rex field=test "Got an error:\s+(?<field1>\d{2})(?<field2>\d{2})(?<field3>\d{2})"

Table query

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life