topic How to get a numeric field extracted in Splunk Search

How to get a numeric field extracted

Regleston — Wed, 20 Nov 2019 21:49:23 GMT

I am trying to extract the "Time taken" from this field.

2019-11-20 09:38:22,157 INFO Time taken: 01:35:53.514

The problem I have is that when I use Splunk to create a regex it creates it as an "a".
From what I understand that happens when more then half of the characters aren't numeric.
As you can see there are 12 chars, 9 of which are numeric, so I am not sure why this field is created as an "a" and not a "#".

Can anyone please help?

Re: How to get a numeric field extracted

jpolvino — Wed, 20 Nov 2019 21:57:24 GMT

You can change the type, see link

But why do you want to change it? The time taken is clearly not a number. How about parsing it apart and then doing calculations to render it into an actual numeric type, such as seconds?

Re: How to get a numeric field extracted

woodcock — Wed, 20 Nov 2019 22:09:26 GMT

Like this:

... | rex "Time taken:\s(?:(?:(?<duration_hours>\d+):)?(?<duration_minutes>\d+):)?(?<duration_seconds>.+)$"
| fillnull value=0 duration_hours duration_minutes 
| eval duration = duration_seconds + (60 * (duration_minutes + (60 * duration_hours))) 
| fieldformat duration = tostring(duration, "duration")

Re: How to get a numeric field extracted

Regleston — Thu, 21 Nov 2019 21:20:14 GMT

Thanks jpolvino & woodcock for the advice. I made regex for hh mm ss nnn and used the parsing woodcock provided and I am all smiles.