Splunk Search

Rex help with decimal numbers

rguntupalli8
New Member

Hi,
Below is not working. can you please help.
I am trying to capture 1minmax(int number), 1minavg(decimal number) etc in addition to jco_total.

| dtm=2012-04-29 05:30:00.00 PDT | priority=INFO | Timer-_default MonitorJCOConnectionsTask:

JCOConnections:Total=48(1M;5M;60M;24H)=(1,1.33;3,2,2.56;3,3.66;5,1.82;)

sourcetype="oss6" | rex "JCOConnections:Total=(?d+)(.)=((?<1minmax>d+),(?<1minavg>d+.?d);(?<5minmax>d+),(?<5minavg>d+.?d);
(?<60minmax>d+),(?<60minavg>d+.?d);(?<24hrmax>d+),(?<24hravg>d+.?d*);)"

Tags (1)
0 Karma

kristian_kolb
Ultra Champion

There are some errors in your regex:

you are not matching all necessary stuff between the '48' and values for 1minmax. Also, there are nine values in the last parentheses, whereas you only specify eight extractions.

 rex "JCOConnections:Total=(?<jco_total>d+)(.)=((?<1minmax>d+),(?<1minavg>d+.?d);(?<5minmax>d+),(?<5minavg>d+.?d); (?<60minmax>d+),(?<60minavg>d+.?d);(?<24hrmax>d+),(?<24hravg>d+.?d*);)" 

given (part of) the message;

JCOConnections:Total=48(1M;5M;60M;24H)=(1,1.33;3,2,2.56;3,3.66;5,1.82;)

you could get your values by;

rex "JCOConnections:Total=(?<jco_total>d+)\([124560HM;]+\)=\((?<1mmax>[^,]+),(?<1mavg>[^;]+);(?<5mmax>[^,]+),(?<5mavg>[^;]+);(?<60mmax>[^,]+),(?<60mavg>[^;]+);(?<24hmax>[^,]+),(?<24havg>[^;]+);\)"

Still need to remove one value in the log (there are 3 values for the 5min part ( 3, 2, and 2.56)), or add another extraction.

Hope this helps,

Kristian

0 Karma

kristian_kolb
Ultra Champion

well, yes. Consider the following:

,(?[^;]+);

this will;
start matching after a colon (,)
match any character that is NOT a semicolon ([^;])
for one or more characters (+)
and store them as the field 'blaha' (?)
followed by a semicolon (;)

so the contents of blaha could be
AAA
123.43

¤!%&

as long as it's not a semicolon.

/k

0 Karma

rguntupalli8
New Member

Hi Kristian,
ThankYou. Noted the 3 values issue in the log.
Does this work to extract decimal values above ex: 2.56
Dont we need something like this to extract decimal values?
(?<1minMAX>\d+),(?<1minAVG>\d+.?\d*);

0 Karma

sowings
Splunk Employee
Splunk Employee

In "regular expression-ese", \d is just a digit. You may have these correct with literal .'s and \If I try to match \d against "1.33", I'm going to get 1.

Next, I don't know if you've transcribed your event correctly, or if you cut-and-pasted. It looks like the format of the parenthetical should be int comma float semicolon, and then three more groups like that. The pasted event shows 3,2,2.56; as the second group in that form.

Consider testing with RegExr; it'll be faster to triage the problem and then paste into rex in the search bar.

Using your input exactly as provided, I wrote the following regex (minus the field names) to match it:


JCOConnections:Total=(\d+)\(.*\)=\((\d+),([\d.]+);(\d+),(\d+),([\d.]+);(\d+),([\d.]+);(\d+),([\d.]+);\)

0 Karma

sowings
Splunk Employee
Splunk Employee

Note that in order for you to get a \ in the text of what you're providing, you have to escape it. You may well have \d or \., but it's showing up as just d or ., which don't have the same meaning. \d != d.

0 Karma

rguntupalli8
New Member

updated. Thanks.

0 Karma

sdaniels
Splunk Employee
Splunk Employee

You may want to update your question above.

0 Karma

rguntupalli8
New Member

Hi sdaniels,

Sorry for the incomplete information in my post above. Actually I am trying to capture 1minmax(int number), 1minavg(decimal number) etc in addition to jco_total.

sourcetype="oss6" | rex "JCOConnections:Total=(?d+)(.)=((?<1minmax>d+),(?<1minavg>d+.?d);(?<5minmax>d+),(?<5minavg>d+.?d);
(?<60minmax>d+),(?<60minavg>d+.?d);(?<24hrmax>d+),(?<24hravg>d+.?d*);)"

0 Karma

sdaniels
Splunk Employee
Splunk Employee

Are you just trying to capture the number 48 for the total number of connections?

0 Karma

rguntupalli8
New Member

Used this rex, but not working still.
sourcetype="oss6" | rex "JCOConnections:Total=(?\d+)(1M;5M;60M;24H)=(\d+,\d+.?\d*;\d+,\d+.?\d*;\d+,\d+.?\d*;\d+,\d+.?\d*;)

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...