Hi,
I have a field called operationDuration. This field has a value in the form of Xms. Eg:10ms
How can I parse this value so that I remove the ms, i.e. I get only the numerical value?
I tried to do this in the Tag extraction, but regex look around does not seem to work.
Thanks a lot
Simon
Have your tried this (assuming that the field operationDuration is already extracted);
your_search | rex field=operationDuration "(?<OPER_DUR_NUM>\d+)ms"
The extraction above will give you a field called OPER_DUR_NUM
in the fields column on the left.
You can of course call it whatever you like.
UPDATE:
In order to test whether the extraction worked correctly, you can type in the following search:
your_search | rex field=operationDuration "(?<OPER_DUR_NUM>\d+)ms" | table operationDuration, OPER_DUR_NUM
Also, note that this is not a "permanent" field extraction - it only lives within this search. If you want to make the new field available without specifying the rex
statement as part of every search query, you should make a permanent extraction, e.g. with IFX or directly in props.conf
.
For more info on field extraction see:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime
/Kristian
you could use:
| convert num(operationDuration)
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/convert
Have your tried this (assuming that the field operationDuration is already extracted);
your_search | rex field=operationDuration "(?<OPER_DUR_NUM>\d+)ms"
The extraction above will give you a field called OPER_DUR_NUM
in the fields column on the left.
You can of course call it whatever you like.
UPDATE:
In order to test whether the extraction worked correctly, you can type in the following search:
your_search | rex field=operationDuration "(?<OPER_DUR_NUM>\d+)ms" | table operationDuration, OPER_DUR_NUM
Also, note that this is not a "permanent" field extraction - it only lives within this search. If you want to make the new field available without specifying the rex
statement as part of every search query, you should make a permanent extraction, e.g. with IFX or directly in props.conf
.
For more info on field extraction see:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Addfieldsatsearchtime
/Kristian
thanks for your post kristian.
How can I view the extracted value, so that I can check if the extraction was correct?
Thanks