Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

regex formation

harsh1734
New Member
‎08-01-2013 10:15 PM

hi,
in my log files there is a field name cpu time with different time values like 57.682 sec,0.572 sec and among the highest it is 1133.982 secs when i am trying to extract 1133.982,it showing me the message..

No regex could be learned. Try providing different examples or restriction
so how can i extract this field

Tags (1)
0 Karma
Reply

mothmen
Engager
‎08-02-2013 05:55 AM

Using the regex to get establish field name can be a pretty big pain.

Unless there's a good reason not to, I'd recommend logging the CPU Time within the .log file as something like: "CPU_Time=1133.982" (minus the quotation marks)

Splunk will automatically create the field "CPU_Time" if you log your information this way. It's extremely convenient.

0 Karma
Reply

jonuwz
Influencer
‎08-02-2013 04:16 AM 
... | rex "(?<cpu_time>\d+(?:\.\d+)?) sec"

This looks for a number, optionally followed by .xxxx follwowd by "sec", and sets a field called cpu_time to the number component of the string.

0 Karma
Reply

Drainy
Champion
‎08-02-2013 01:36 AM

If you could post an example event one of the community or myself could probably write a regex for you

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...