topic Looking for a regex that extract key=values from same line in Splunk Search

Looking for a regex that extract key=values from same line

YagneshShah1 — Tue, 10 Nov 2020 19:02:03 GMT

Application log file display below at one of the line, looking for a regex that extract value of "0" / "1" / "2" or "3" in to a variables, which can be used later to draw a line chart

Splunk item Total: [ 0=233 ]

Splunk item Total: [ 1=220 ]

Splunk item Total: [ 1=220 3=40 ]

Splunk item Total: [ 0=50 1=210 3=30 ]

Splunk item Total: [ 0=100 1=205 2=10 3=5 ]

Re: Looking for a regex that extract key=values from same line

bowesmana — Tue, 10 Nov 2020 21:33:07 GMT

Using your example data, run this query - is that what you wanted in the rex statement?

| makeresults | eval fields=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ]",",") | mvexpand fields | table fields | rex field=fields max_match=0 "(?<key>\d+)=(?<value>\d+)"

Re: Looking for a regex that extract key=values from same line

YagneshShah1 — Tue, 10 Nov 2020 23:03:28 GMT

Sorry I confuse you, actually log is printing sometime this

Splunk item Total: [ 0=233 ]

or sometime this

Splunk item Total: [ 1=220 ]

and looking for a regex that capture in variable "zero" value 233 and in variable "one" value 220 than I will use variable "zero" and "one to print line graph

Re: Looking for a regex that extract key=values from same line

somesoni2 — Wed, 11 Nov 2020 00:07:04 GMT

Try using extract command (works on field _raw). A runanywhere example is here:

| makeresults | eval raw=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ]",",") | mvexpand raw | rename raw as _raw | extract kvdelim="=" pairdelim=" " auto=t clean_keys=false

Re: Looking for a regex that extract key=values from same line

YagneshShah1 — Wed, 11 Nov 2020 15:49:45 GMT

I cannot use any of this in extract

(Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ])

as I have mentioned it is not constant it changes, logs sometime display

Splunk item Total: [ 0=233 ]

Splunk item Total: [ 1=220 ]

Splunk item Total: [ 1=220 3=40 ]

Splunk item Total: [ 0=50 1=210 3=30 ]

Splunk item Total: [ 0=100 1=205 2=10 3=5 ]

Only think I am interested is if it had "0=" than like to extract that value if it display "1=" than like to extract that value if it display "0=" and "1=" than like to extract both value