- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- RegEx - Get integer behind string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys,
I'm absolutely new to RegEx and I'm very fascinated how powerfull RegEx is.
I'm trying to get an integer value that is placed behind a specific string.
This string and the integer value may appear at several places in a logfile.
Here is an example of the file:
4/11/2013;4:22:00 PM;Server konnte nicht gestartet werden, falsche Server IP/Name
4/13/2013;2:26:31 PM;Server konnte nicht gestartet werden, falsche Server IP/Name
4/14/2013;2:01:01 AM;Backup Fehler: (db1)
4/14/2013;2:01:02 AM;
4/14/2013;2:01:03 AM;ErrorCode: 17
Server offline
Der Datenbankeserver reagiert nicht.
I've been playing around with PowerGREP and RegexMagic but I didn't create one single expression that is correct for Splunk ^^
All I want to create is a new field, with the ErrorCode integer to get an overview which errors occur how often.
Can someone help me with creating this expression?
Thank you in advance 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
your base search | rex "ErrorCode:\s+(?<err_code>\d+)"
This should give you a field called err_code which contains the ErrorCode. You can then use it in stats/tables/charts for reporting, e.g.
... | timechart span=1h count by err_code
UPDATE:
Aah,
The examples above are for the use in an ordinary search, i.e. you enter it into the search bar. your base search would be where you put your sourcetype=xxx etc.
The ... referrs to any previous search statements.
To make it more permanent, you can enter it into the props.conf file (either manually or through the IFX).
The IFX 'syntax' if you were to edit the generated regex, would probably look like;
ErrorCode:\s+(?P<FIELDNAME>\d+)
Then you'll be prompted to give a name for the field (FIELDNAME is just a placeholder).
Or you can put it in the props.conf directly;
[your_sourcetype]
EXTRACT-blah = ErrorCode:\s+(?<err_code>\d+)
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
your base search | rex "ErrorCode:\s+(?<err_code>\d+)"
This should give you a field called err_code which contains the ErrorCode. You can then use it in stats/tables/charts for reporting, e.g.
... | timechart span=1h count by err_code
UPDATE:
Aah,
The examples above are for the use in an ordinary search, i.e. you enter it into the search bar. your base search would be where you put your sourcetype=xxx etc.
The ... referrs to any previous search statements.
To make it more permanent, you can enter it into the props.conf file (either manually or through the IFX).
The IFX 'syntax' if you were to edit the generated regex, would probably look like;
ErrorCode:\s+(?P<FIELDNAME>\d+)
Then you'll be prompted to give a name for the field (FIELDNAME is just a placeholder).
Or you can put it in the props.conf directly;
[your_sourcetype]
EXTRACT-blah = ErrorCode:\s+(?<err_code>\d+)
/K
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Kristian,
thank you for your help 🙂
I forgot to mention that I'm also completely new to Splunk itself ^^
So I'm not sure how to add your expression to Splunk.
The only way I know so far is to do this with the "Interactive field extractor".
But when I insert the phrase in the "Edit" field Splunk returns a syntax error.
Edit1: okay I've got it 🙂 Iserted the expression into the normal search and found the new field err_code.
Thank you so much Kristian!!
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
