Trying to evaluate the below:
1min=1;5min=1;60min=1;24hr=1
Below seem to be not working. Anything wrong with this?
| rex field=_raw "1min=(?<1min>.+?);5min=(?<5min>.+?);60min=(?<60min>.+?);24hr=(?<24hr>.+?)"
Hi
Try this search code
.........................|rex field=_raw "1min\=(?<one_min>[^\;])\;5min\=(?<five_min>[^\;])\;60min\=(?<sixty_min>[^\;])\;24hr\=(?<twenty_four_hr>[\d+])"|table one_min five_min sixty_min twenty_four_hr
You could try to be more specific in the matching, like;
rex "1min=(?<1min>\d+);5min=(?<5min>\d+);60min=(?<60min>\d+);24hr=(?<24hr>\d+)"
btw, you don't need the field=_raw
, since that is the default.
Or you could look into the DELIMS parameter in transforms.conf
in props.conf
[your_sourcetype]
REPORT-blaha = semicolondelims
in transforms.conf
[semicolondelims]
DELIMS= ";", "="
This tells Splunk that key/value pairs are separated by a semi-colon, and that the keys are separated from the values by an 'equals' character.
http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf
Hope this helps,
Kristian
I am not to sure to understand what you are trying to do. Why not using :
| extract pairdelim=";", kvdelim="=", auto=f