Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract value from end of line

lalbsah
Engager
‎05-14-2012 07:35 AM

I have below log format and I want to get value of getTaskHistoryList(in this case it is 33 but this may get changed).
Trace: 2012/05/10 19:32:39.047 01 t=9AF4F8 c=UNK key=P8 (0000000A) Description: Log Java Message Message: Time taken for getTaskHistoryList 33

How to extract only getTaskHistoryList value and create chart out of these values?

Tags (1)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-14-2012 07:40 AM

Well, given the one example event, one might try

... | rex "getTaskHistoryList (?<field_name>\d+)$"

However, a more thorough regex might be:

... | rex "Message: Time take for (?<operation>[^\s]+) (?<time_taken>\d+)$"

These are not particularly complicated regular expressions. If you are not already familiar, I would recommend studying how regular expressions work in general - there is a good website, http://www.regular-expressions.info/, and O'Reilly has an excellent (if a little aged) paperback book on the subject, http://shop.oreilly.com/product/9780596528126.do

Also, you should study up on how Splunk uses regular expressions for field extraction. http://docs.splunk.com/Documentation/Splunk/4.3/Knowledge/Aboutfields is as good of a place as any to start.

Reply
Get Updates on the Splunk Community!

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...