- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rex extraction question
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm pretty new to rex extraction using splunk and I can't figure out why my extraction isn't working. I have a raw event so I'm trying to use the following rex to get what I am looking for
rex field=_raw "call is(?).*"
The event in question is a raw event that contains a line that looks as follows:
"Total time taken for call is1554"
I want the digits that follow the is(and it always prints with no space between is and the number), but I can't figure out why my regex solution isn't working. It registers resptime as a field but it has no values printed in it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@brajaram can you try the following?
<YourBaseSearch>
| rex "call is (?<callTime>\d+)"
Also following is the run anywhere search:
| makeresults
| eval _raw="Total time taken for call is 1554"
| rex "call is (?<callTime>\d+)"
If you are not well versed with regular expressions you can test/learn on regex101.com
You should also try out Interactive Field Extraction (IFX) which writes the regular expression for you through several step by step process. Another advantage of this is that your field extraction will persist as easily maintainable and reusable Field Extractions `Knowledge Object. Following is the Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@brajaram can you try the following?
<YourBaseSearch>
| rex "call is (?<callTime>\d+)"
Also following is the run anywhere search:
| makeresults
| eval _raw="Total time taken for call is 1554"
| rex "call is (?<callTime>\d+)"
If you are not well versed with regular expressions you can test/learn on regex101.com
You should also try out Interactive Field Extraction (IFX) which writes the regular expression for you through several step by step process. Another advantage of this is that your field extraction will persist as easily maintainable and reusable Field Extractions `Knowledge Object. Following is the Splunk Documentation: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, that works. Why does the \d+ matter for that regex?
And I tried the IFX, but it kept throwing errors due to the size of the event and small field value I needed to extract, so I was trying to write my own. Thanks for the suggestion for that site!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
\d+ is a greedy match for digits which matches one or more of digits. I have saved the regex with some test data on regex101.com. You can check the Explanation and Quick Reference for regular expression pattern match: https://regex101.com/r/lrlBXM/1
Now that you have required Regular Expression, you can start the Field Extraction Again and override with the the same. You can directly via props.conf and transforms.conf(if required depending upon how you are configuring).
| makeresults | eval message= "Happy Splunking!!!"
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
