Splunk Search

In a field value that contains text, how can I display or extract just the numerical value within that text?

steveklinck
New Member

We have a "Message" field that always contains the same verbiage except for a numerical value. I only want the numerical value.
Example: "The system uptime is 999999 seconds." (The quotes are not part of the Message text.)

How can I display only the 999999?

Thanks

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try rex. This example extracts the digits into field 'uptime' which you can then use in other SPL commands.

... | rex field=Message "uptime is (?<uptime>\d+) seconds" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try rex. This example extracts the digits into field 'uptime' which you can then use in other SPL commands.

... | rex field=Message "uptime is (?<uptime>\d+) seconds" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

steveklinck
New Member

Thanks to both of you for the extremely quick answer. Per richgalloway, I added | stats values(uptime)
and that gives me the desired result.

Thanks again to both of you.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@steveklinck - Please don't forget to click "Accept" under richgalloway's answer to close out your question. Thank you.

0 Karma

vasanthmss
Motivator

Populating the value using the below search,

|stats c |fields - c  | eval message="The system uptime is 999999 seconds." 

Use the below regular expression to get the numeric value

| rex field=message "uptime is (?<up_time>.\d+)"

Sample Search will be,

|stats c |fields - c  | eval message="The system uptime is 999999 seconds." | rex field=message "uptime is (?<up_time>.\d+)"

So you can try something like this,

your base search ... | rex field=message "uptime is (?<up_time>.\d+)"
V

steveklinck
New Member

thanks again to both of you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...