https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95314#M24606 <P>As long as you have the line breaking correct for the events in Splunk than a regex like this</P> <PRE><CODE>(?&lt;=bandwidth\s)\d+(?=\s) </CODE></PRE> <P>to replace what IFX is coming up with should work. Just go into the config file and change it directly or if you've already deleted it, replace it in the IFX when you create the extraction.</P> Tue, 22 Jan 2013 19:01:25 GMT sdaniels 2013-01-22T19:01:25Z https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95313#M24605 <P>I'm trying to extract a single field from a log and perform some statistical calculations using stats.</P> <P>The log entries I have look like the following:</P> <PRE><CODE>"Jan 22 16:43:48 10.164.93.7 10.164.93.7 local2 warn rpd[1106]: RPD_MPLS_PATH_BANDWIDTH_CHANGE: MPLS path (lsp B.R2.CHI-1) bandwidth changed, path bandwidth 81659056 bps","2013-01-22T11:43:48.000-0500",,16,22,43,january,48,tuesday,2013,local,"nix-all-logs",local2,"log.itgh.net",,"syslog_prod",1,22,"C-NET","10.164.93.7","10.164.93.7","R1.BB-FO.BRN1",Jan,"16:43:48","RPD_MPLS_PATH_BANDWIDTH_CHANGE: MPLS path (lsp R1.CHI2-1) bandwidth changed, path bandwidth 81659056 bps",,"__::_..._...___[]:_:____(_-.-.-)__,____",warn,"/app/syslog/10.164.93.7/10.164.93.7.log","syslog_vrsn","splunk6",,16,7 </CODE></PRE> <P>The query I'm using is:</P> <PRE><CODE>index=syslog_data bandwidth | extract pairdelim="bandwidth", kvdelim="bps", auto=f </CODE></PRE> <P>does not extract the bandwidth number, in the above example, I just want to extract the number 81659056</P> <P>I can user the IFX to extract the field, but then the extracted field looks like:</P> <PRE><CODE> 1 0.877193 </CODE></PRE> <P>5 RPD_MPLS_PATH_BANDWIDTH_CHANGE: MPLS path (lsp R6.NYC.LAX3-1) bandwidth changed, path bandwidth 75085360 bps</P> <P>What is the best way to extract just the bandwidth from the entry?</P> <P>Thanks in advance.</P> Mon, 28 Sep 2020 13:09:46 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95313#M24605 DTERM 2020-09-28T13:09:46Z https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95314#M24606 <P>As long as you have the line breaking correct for the events in Splunk than a regex like this</P> <PRE><CODE>(?&lt;=bandwidth\s)\d+(?=\s) </CODE></PRE> <P>to replace what IFX is coming up with should work. Just go into the config file and change it directly or if you've already deleted it, replace it in the IFX when you create the extraction.</P> Tue, 22 Jan 2013 19:01:25 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95314#M24606 sdaniels 2013-01-22T19:01:25Z https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95315#M24607 <P>Is there a reason why you are using extract? You could just use rex if the bandwidth is the only field you need:</P> <PRE><CODE>index=syslog_data bandwidth | rex "bandwidth\s(?&lt;my_bandwidth&gt;\d+)\sbps" </CODE></PRE> <P>Chris</P> Tue, 22 Jan 2013 19:06:58 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95315#M24607 chris 2013-01-22T19:06:58Z https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95316#M24608 <P>Perfect, gotta learn SPLUNK regex! Thanks!</P> Tue, 22 Jan 2013 19:27:53 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95316#M24608 DTERM 2013-01-22T19:27:53Z https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95317#M24609 <P>You're welcome</P> Tue, 22 Jan 2013 21:39:55 GMT https://community.splunk.com/t5/Splunk-Search/Splunk-Query/m-p/95317#M24609 chris 2013-01-22T21:39:55Z