Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to build a regular expression that will capture multiple numbers in a field?

shivarpith
Path Finder
‎12-07-2016 07:42 AM

my log looks like below and i wanted to know if i could make a single regular expression to extract all xxx-xxx numbers

The following messages were logged on 12/07/16 at 07:52:10.

0420-094: blah blah blah destination.
0423-245: blah blah blah  changed.
0420-098: blah blah blah  job.
0424-138: blah blah blah.

so if Regex is Number then i would like to see

number 

0420-094
0423-245
0420-098
0424-138

or to better understand if i do a stats count by number

number         |     Count
0420-094       |       1
0423-245       |       1
0420-098       |       1
0424-138       |       1

i know i can do multiple regex's for each one and then coalesce to merge them all, but if there's a better way then why not 🙂

0 Karma
Reply

rjthibod
Champion
‎12-07-2016 08:43 AM

How about this?

your search ... | rex "(?<number>[^:]*)" | stats count as Count by number
0 Karma
Reply

shivarpith
Path Finder
‎12-08-2016 05:03 AM

Thank you for the response but the regex above will still pick the 1st number that came up in the log, i have a scenario where an event has 2-6 numbers like below but not limited to.
0420-094
0423-245
0420-098
0424-138

i want regex to parse all the values that match the regex, i was looking at MV_ADD option but not sure if that would work.

\n(?.*):

0 Karma
Reply

rjthibod
Champion
‎12-08-2016 10:09 AM

Sorry, I interpreted your original post to be different log messages.

Is your sourcetype already correctly differentiating your multiline log events? If not, that needs be cleaned up first.

0 Karma
Reply

rjthibod
Champion
‎12-08-2016 10:20 AM

If you are doing this at search time, then you would probably want the following in transforms.conf (you would reference the following transform in props.conf as well).

[MVNumber]
REGEX  = (\d+-\d+):
FORMAT = Number::$1
MV_ADD = true

And you would want to add the following to fields.conf

[Number]
TOKENIZER = (\d+-\d+):
INDEXED = false
INDEXED_VALUE = true
0 Karma
Reply

shivarpith
Path Finder
‎12-08-2016 01:35 PM

thank you, i will try it out and post the update. thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...