topic Re: How do I extract a number from the raw message in Splunk Search

How do I extract a number from the raw message

JeffCr — Thu, 04 Aug 2016 14:49:26 GMT

How do I extract the following which always occurs as the last part of the raw text in message e.g "Took 13983.1468ms."
I want only the number and to capture timestamp and hostname. The total message length and structure might vary slightly but the ending is the same.

Re: How do I extract a number from the raw message

skoelpin — Thu, 04 Aug 2016 14:52:59 GMT

You would use a regular expression..

Try this

| rex (?P<Time>(?<=Took\s)\d+(?=ms))

Re: How do I extract a number from the raw message

richgalloway — Thu, 04 Aug 2016 14:54:47 GMT

I'd use rex.

index=foo | rex "Took (?<num>\d+\.?\d+)ms" | ...

If you need help extracting timestamp and hostname, please show some sample data.

Re: How do I extract a number from the raw message

JeffCr — Thu, 04 Aug 2016 15:09:05 GMT

Whats the easiest way to search the result set and then alert on a threshold value(s). Do I need to pass this into a command to build a table first?

Re: How do I extract a number from the raw message

richgalloway — Thu, 04 Aug 2016 15:13:16 GMT

To alert on certain values, schedule a search for those values.

index=foo | rex "Took (?<num>\d+\.?\d+)ms" | where num > someThreshold | table _time hostname num

Have the search trigger an alert if the number of results is not zero.

Re: How do I extract a number from the raw message

JeffCr — Thu, 04 Aug 2016 15:26:56 GMT

Many thanks for the answer!

Re: How do I extract a number from the raw message

twinspop — Thu, 04 Aug 2016 15:28:39 GMT

I think that regex is going to surprise in some situations. You are requiring that there be 2 digits. 1 or more digits, followed by optional decimal, followed by 1 or more digits.

Re: How do I extract a number from the raw message

twinspop — Thu, 04 Aug 2016 15:29:48 GMT

This doesn't allow for decimals.

Re: How do I extract a number from the raw message

JeffCr — Thu, 04 Aug 2016 15:30:13 GMT

There will always be at least x.x

Re: How do I extract a number from the raw message

twinspop — Thu, 04 Aug 2016 15:31:02 GMT

| rex "Took (?P<dur>\d+\.?\d*)ms"

Will put the value into dur

Re: How do I extract a number from the raw message

skoelpin — Thu, 04 Aug 2016 15:53:18 GMT

Sorry about that, try this

| rex (?P<Time>(?<=Took\s)\d+\.\d+(?=ms))

Re: How do I extract a number from the raw message

skoelpin — Thu, 04 Aug 2016 15:54:08 GMT

No you don't need to do that, you can add a | where clause such as

... | where Time > 2