Hi,
Below is not working. can you please help.
I am trying to capture 1minmax(int number), 1minavg(decimal number) etc in addition to jco_total.
| dtm=2012-04-29 05:30:00.00 PDT | priority=INFO | Timer-_default MonitorJCOConnectionsTask:
JCOConnections:Total=48(1M;5M;60M;24H)=(1,1.33;3,2,2.56;3,3.66;5,1.82;)
sourcetype="oss6" | rex "JCOConnections:Total=(?
(?<60minmax>d+),(?<60minavg>d+.?d);(?<24hrmax>d+),(?<24hravg>d+.?d*);)"
There are some errors in your regex:
you are not matching all necessary stuff between the '48' and values for 1minmax. Also, there are nine values in the last parentheses, whereas you only specify eight extractions.
rex "JCOConnections:Total=(?<jco_total>d+)(.)=((?<1minmax>d+),(?<1minavg>d+.?d);(?<5minmax>d+),(?<5minavg>d+.?d); (?<60minmax>d+),(?<60minavg>d+.?d);(?<24hrmax>d+),(?<24hravg>d+.?d*);)"
given (part of) the message;
JCOConnections:Total=48(1M;5M;60M;24H)=(1,1.33;3,2,2.56;3,3.66;5,1.82;)
you could get your values by;
rex "JCOConnections:Total=(?<jco_total>d+)\([124560HM;]+\)=\((?<1mmax>[^,]+),(?<1mavg>[^;]+);(?<5mmax>[^,]+),(?<5mavg>[^;]+);(?<60mmax>[^,]+),(?<60mavg>[^;]+);(?<24hmax>[^,]+),(?<24havg>[^;]+);\)"
Still need to remove one value in the log (there are 3 values for the 5min part ( 3, 2, and 2.56)), or add another extraction.
Hope this helps,
Kristian
well, yes. Consider the following:
,(?
this will;
start matching after a colon (,)
match any character that is NOT a semicolon ([^;])
for one or more characters (+)
and store them as the field 'blaha' (?
followed by a semicolon (;)
so the contents of blaha
could be
AAA
123.43
as long as it's not a semicolon.
/k
Hi Kristian,
ThankYou. Noted the 3 values issue in the log.
Does this work to extract decimal values above ex: 2.56
Dont we need something like this to extract decimal values?
(?<1minMAX>\d+),(?<1minAVG>\d+.?\d*);
In "regular expression-ese", \d is just a digit. You may have these correct with literal .'s and \If I try to match \d against "1.33", I'm going to get 1.
Next, I don't know if you've transcribed your event correctly, or if you cut-and-pasted. It looks like the format of the parenthetical should be int comma float semicolon, and then three more groups like that. The pasted event shows 3,2,2.56; as the second group in that form.
Consider testing with RegExr; it'll be faster to triage the problem and then paste into rex in the search bar.
Using your input exactly as provided, I wrote the following regex (minus the field names) to match it:
JCOConnections:Total=(\d+)\(.*\)=\((\d+),([\d.]+);(\d+),(\d+),([\d.]+);(\d+),([\d.]+);(\d+),([\d.]+);\)
Note that in order for you to get a \ in the text of what you're providing, you have to escape it. You may well have \d or \., but it's showing up as just d or ., which don't have the same meaning. \d != d.
updated. Thanks.
You may want to update your question above.
Hi sdaniels,
Sorry for the incomplete information in my post above. Actually I am trying to capture 1minmax(int number), 1minavg(decimal number) etc in addition to jco_total.
sourcetype="oss6" | rex "JCOConnections:Total=(?
(?<60minmax>d+),(?<60minavg>d+.?d);(?<24hrmax>d+),(?<24hravg>d+.?d*);)"
Are you just trying to capture the number 48 for the total number of connections?
Used this rex, but not working still.
sourcetype="oss6" | rex "JCOConnections:Total=(?