Solved: How to edit my regular expression to extract the n...

ayusuf · ‎10-25-2016

I don't understand how Splunk does regex!
I have this search below:

...
| spath output=test path=a.b.c
| rex field=test "?<test1>[0-9]+"
| table test, test1

Test is this: {"timehours":"16","timeminutes":"34","timeseconds":"11"}

How do I extract just the numbers and semicolon except the first semicolon?
Thanks!

sundareshr · ‎10-25-2016

Try this

 ...
 | spath output=test path=a.b.c
 | rex max_match=3 field=test "(?<t>\d{1,2})"
 | eval test1=mvindex(t, 0).":".mvindex(t, 1).":".mvindex(t, -1)
 | table test, test1

View solution in original post

DalJeanis · ‎02-01-2017

Here's another way. Still couldn't get it in just one rex.

This generates test results -

| makeresults | eval testfield="{\"timehours\":\"16\",\"timeminutes\":\"34\",\"timeseconds\":\"11\"}"

This pulls out the time parts -

| rex field=testfield max_match=3 "(?<mytime>\d{1,2})" | eval mytime=mvjoin(mytime,":")

sundareshr · ‎10-25-2016

Try this

 ...
 | spath output=test path=a.b.c
 | rex max_match=3 field=test "(?<t>\d{1,2})"
 | eval test1=mvindex(t, 0).":".mvindex(t, 1).":".mvindex(t, -1)
 | table test, test1

ayusuf · ‎10-26-2016

That works but is there a way to do it all in rex? Thanks.

sundareshr · ‎10-26-2016

With rex mode=sed you cannot assign the result to a different field. Try this

  ... | rex mode=sed field=test "s/{\"timehours\":\"(\d+).+?:\"(\d+).+?:\"(\d+)\"}/\1:\2:\3/g" | table test

How to edit my regular expression to extract the numbers and semicolons from my sample data?

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk

Routing logs with Splunk OTel Collector for Kubernetes