Solved: RegEx Extract value after string

arrowecssupport · ‎06-11-2018

I'm trying to build an extraction to find the uptime from this data (example below)

.1.3.6.1.4.1.789 Enterprise Specific Trap (87) Uptime: 0:27:51.35
.1.3.6.1.3.94 Enterprise Specific Trap (4) Uptime: 195 days, 7:01:04.00

Can anyone help with the RegEx?

niketn · ‎06-11-2018

@arrowecssupport, based on the sample data you can use the following rex command:

| rex "Uptime:\s(?<uptime>.*)"

Please find below the tun anywhere search, which extracts the uptime value and also uses convert command function dur2sec() to convert D+HH:MM:SS to seconds.

| makeresults
| eval data=".1.3.6.1.4.1.789 Enterprise Specific Trap (87) Uptime: 0:27:51.35;.1.3.6.1.3.94 Enterprise Specific Trap (4) Uptime: 195 days, 7:01:04.00"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex "Uptime:\s(?<uptime>.*)"
| eval uptime_seconds=replace(replace(uptime,"\sdays,\s","+"),"\..+","")
| convert dur2sec(uptime_seconds)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎06-11-2018

@arrowecssupport, based on the sample data you can use the following rex command:

| rex "Uptime:\s(?<uptime>.*)"

Please find below the tun anywhere search, which extracts the uptime value and also uses convert command function dur2sec() to convert D+HH:MM:SS to seconds.

| makeresults
| eval data=".1.3.6.1.4.1.789 Enterprise Specific Trap (87) Uptime: 0:27:51.35;.1.3.6.1.3.94 Enterprise Specific Trap (4) Uptime: 195 days, 7:01:04.00"
| makemv data delim=";"
| mvexpand data
| rename data as _raw
| rex "Uptime:\s(?<uptime>.*)"
| eval uptime_seconds=replace(replace(uptime,"\sdays,\s","+"),"\..+","")
| convert dur2sec(uptime_seconds)

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

RegEx Extract value after string

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!