topic Re: Regex help in Splunk Search

Regex help

mbyreddy03 — Tue, 29 Sep 2020 23:11:44 GMT

Hi All

Below are my sample events am trying to use regex and extract Time to run brinson for all days in Parallel as modelname and 254.697016001as time, can some please help over here

msg: 30947: Time to run brinson for all days in Parallel 254.697016001

msg: 30968: time to build classification for universe B_3446 all Brinson sections is 0.0605750083923

msg: 30968: time to load v_2 0.138014793396

Regards,

Re: Regex help

woodcock — Fri, 08 Feb 2019 21:13:02 GMT

Like this:

... | rex "(?<modelname>Time to run.*?Parallel)\s+(?<time>\d+)"

Re: Regex help

mydog8it — Fri, 08 Feb 2019 21:23:07 GMT

I think this is what you are asking for....
^msg:\s30947:(?P[a-zA-Z\s]+(?P\d+.\d+))

Re: Regex help

mydog8it — Fri, 08 Feb 2019 21:33:31 GMT

I get what you want now, how is this...

^msg:\s\d+:(?P[a-zA-Z\s\d_]+\s(?=\d+.\d+)(?P\d+.\d+))

Re: Regex help

mydog8it — Fri, 08 Feb 2019 21:34:11 GMT

^msg:\s\d+:(?P<modelname>[a-zA-Z\s\d\_]+\s(?=\d+\.\d+)(?P<time>\d+\.\d+))

Re: Regex help

mydog8it — Fri, 08 Feb 2019 21:35:26 GMT

^msg:\s\d+:(?P<modelname>[a-zA-Z\s\d\_]+\s(?=\d+\.\d+)(?P<time>\d+\.\d+))

Re: Regex help

mydog8it — Fri, 08 Feb 2019 21:35:52 GMT

My goodness I struggle with this UI sometimes!

Re: Regex help

vinod94 — Sat, 09 Feb 2019 07:19:57 GMT

You can try this regex ,

msg\:\s\d+\:\s(?<modelname>[a-zA-z\s\d]+)\s(?P<time>\d+\.\d+)

for example ,run anywhere this search

| makeresults 
| eval data="msg: 30947: Time to run brinson for all days in Parallel 254.697016001 ; 
msg: 30968: time to build classification for universe B_3446 all Brinson sections is 0.0605750083923; 
msg: 30968: time to load v_2 0.138014793396" 
| makemv delim=";" data 
| mvexpand data 
| rename data as _raw | fields - _time 
| rex field=_raw "msg\:\s\d+\:\s(?<modelname>[a-zA-z\s\d]+)\s(?P<time>\d+\.\d+)"

let me know if this works.

Re: Regex help

kushagra9120 — Tue, 29 Sep 2020 23:11:59 GMT

Try This:-

(?:\w*:\s){2}(?P.*?)(?P\d+.\d+)

Re: Regex help

vnravikumar — Sat, 09 Feb 2019 15:11:34 GMT

Hi @mbyreddy03

Try this

| makeresults 
| eval msg="msg: 30947: Time to run brinson for all days in Parallel 254.697016001 " 
| rex field=msg "(?P<modelname>Time.*Parallel)\s(?P<time>.*)"