Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Value that may or may not be there in field extraction

aohls
Contributor
‎07-12-2019 06:42 AM

I am attempting to setup an exctraction for the following; 2 hrs 2 mins 36 secs 312 ms; extracting it as the time values as follows:

(?<hours>\d+) hrs (?<minutes>\d+) mins (?<seconds>\d+) secs (?<milliseconds>\d+) ms

The issue is that at times we will have something line; 1 hr 2 mins 36 secs 312 ms or even just 312 ms. Can I make the extraction account for values that may or may not be there? I know with some regex's before I used a ? to say the value may or may not be there but I am not sure in the field extractor for the full value.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-12-2019 06:54 AM

Something like this: EXTRACT-time = (?<hrs>\d+ hrs?)?\s*(?<mins>\d+ mins?)?\s*(?<secs>\d+ secs?)?\s*(?<ms>\d+ ms)?
https://regex101.com/r/qHE6lA/1

Or if you want to extract the whole things as 1 field: EXTRACT-time = (?<time>(?:\d+ hrs?)?\s*(?:\d+ mins?)?\s*(?:\d+ secs?)?\s*(?:\d+ ms)?)
https://regex101.com/r/qHE6lA/2

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-12-2019 06:54 AM

Something like this: EXTRACT-time = (?<hrs>\d+ hrs?)?\s*(?<mins>\d+ mins?)?\s*(?<secs>\d+ secs?)?\s*(?<ms>\d+ ms)?
https://regex101.com/r/qHE6lA/1

Or if you want to extract the whole things as 1 field: EXTRACT-time = (?<time>(?:\d+ hrs?)?\s*(?:\d+ mins?)?\s*(?:\d+ secs?)?\s*(?:\d+ ms)?)
https://regex101.com/r/qHE6lA/2

Reply
Solved! Jump to solution

aohls
Contributor
‎07-12-2019 07:19 AM

The top gets close, but I do not want the hrs,mins,etc included in the extracted field. for example it is extracting "2 hrs" but I was looking to get "2".

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-12-2019 07:35 AM

Oh, yes, ofcourse: (?<hrs>\d+)?(?: hrs?\s+)?(?<mins>\d+)?(?: mins?\s+)?(?<secs>\d+)?(?: secs?\s+)?(?<ms>\d+)?(?: ms)?
https://regex101.com/r/qHE6lA/3

0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎07-12-2019 08:00 AM

This worked perfect. Using (?: mins?\s+)? I assume is potentially to find the word after, so it may or may not find it due to the ? at the end correct? Just want to make sure to understand it.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-14-2019 01:39 AM

Yes, ? means match 0 or 1 times. So I add that behind each of the groups as well as behind the s in case it shows 1 hr or something like that.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...