help with rex

rguntupalli8 · ‎05-01-2012

Trying to evaluate the below:

1min=1;5min=1;60min=1;24hr=1

Below seem to be not working. Anything wrong with this?

| rex field=_raw "1min=(?<1min>.+?);5min=(?<5min>.+?);60min=(?<60min>.+?);24hr=(?<24hr>.+?)"

chimell · ‎12-12-2016

Hi

Try this search code

.........................|rex field=_raw "1min\=(?<one_min>[^\;])\;5min\=(?<five_min>[^\;])\;60min\=(?<sixty_min>[^\;])\;24hr\=(?<twenty_four_hr>[\d+])"|table one_min five_min sixty_min twenty_four_hr

kristian_kolb · ‎05-02-2012

You could try to be more specific in the matching, like;

rex "1min=(?<1min>\d+);5min=(?<5min>\d+);60min=(?<60min>\d+);24hr=(?<24hr>\d+)"

btw, you don't need the field=_raw, since that is the default.

Or you could look into the DELIMS parameter in transforms.conf

in props.conf

[your_sourcetype]
REPORT-blaha = semicolondelims

in transforms.conf

[semicolondelims]
DELIMS= ";", "="

This tells Splunk that key/value pairs are separated by a semi-colon, and that the keys are separated from the values by an 'equals' character.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf

Hope this helps,

Kristian

MarioM · ‎05-02-2012

I am not to sure to understand what you are trying to do. Why not using :

| extract pairdelim=";", kvdelim="=", auto=f

help with rex

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!