https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/648810#M224429 <P>I need to extract a time value from log file where the time value appears with a few different variations of characters around it.&nbsp; I'm struggling with handling all the variations through my regex extract.</P><P>Below are examples of each of the variations:</P><P><SPAN class="">ChainedQuery</SPAN> <SPAN class="">elapsed</SPAN> <SPAN class="">time</SPAN><SPAN> [</SPAN><SPAN class="">90</SPAN><SPAN>]</SPAN><SPAN class="">ms</SPAN></P><P><SPAN class="">Elapsed time: 114ms</SPAN></P><P><SPAN class="">Elapsed time to get Service pool: 339</SPAN></P><P><SPAN class="">Elapsed Time: 69</SPAN></P><P><SPAN class=""><SPAN>,</SPAN>took 37ms</SPAN></P><P>Is there a way to extract all the numeric values with 1 regex?</P><P>&nbsp;</P> Fri, 30 Jun 2023 13:15:47 GMT nateNpgh 2023-06-30T13:15:47Z https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/648810#M224429 <P>I need to extract a time value from log file where the time value appears with a few different variations of characters around it.&nbsp; I'm struggling with handling all the variations through my regex extract.</P><P>Below are examples of each of the variations:</P><P><SPAN class="">ChainedQuery</SPAN> <SPAN class="">elapsed</SPAN> <SPAN class="">time</SPAN><SPAN> [</SPAN><SPAN class="">90</SPAN><SPAN>]</SPAN><SPAN class="">ms</SPAN></P><P><SPAN class="">Elapsed time: 114ms</SPAN></P><P><SPAN class="">Elapsed time to get Service pool: 339</SPAN></P><P><SPAN class="">Elapsed Time: 69</SPAN></P><P><SPAN class=""><SPAN>,</SPAN>took 37ms</SPAN></P><P>Is there a way to extract all the numeric values with 1 regex?</P><P>&nbsp;</P> Fri, 30 Jun 2023 13:15:47 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/648810#M224429 nateNpgh 2023-06-30T13:15:47Z https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/648812#M224430 <P>It depends how many different variants you expect to encounter and how fool-proof you want this solution to be. If you go too broadly - for example extracting every sequence of digits after a "elapsed" word (would need a separate branch for the "took" version) - you risk getting unrelated data extracted.</P> Fri, 30 Jun 2023 13:35:36 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/648812#M224430 PickleRick 2023-06-30T13:35:36Z https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/648813#M224431 <P>I just need to be able to handle the variations I included.</P> Fri, 30 Jun 2023 13:38:03 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/648813#M224431 nateNpgh 2023-06-30T13:38:03Z https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/648814#M224432 <P>Just use an alternative within a group and you're set.</P><PRE>(Prefix1|prefix2|prefix3)(?&lt;capture_field&gt;\d+)</PRE> Fri, 30 Jun 2023 13:41:24 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/648814#M224432 PickleRick 2023-06-30T13:41:24Z https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/649190#M224500 <P>Hi</P><P>With those examples this should work&nbsp;<A href="https://regex101.com/r/jBOkh7/1" target="_blank">https://regex101.com/r/jBOkh7/1</A></P><LI-CODE lang="markup">\s+[\[]?(\d+)</LI-CODE><P>But this expecting that in field where you are extracting these values haven't been anything else. If those contains other text you need to modify that.</P><P>r. Ismo&nbsp;</P> Tue, 04 Jul 2023 17:34:49 GMT https://community.splunk.com/t5/Splunk-Search/Extracting-data-which-is-incosistent/m-p/649190#M224500 isoutamo 2023-07-04T17:34:49Z