topic Re: Proper REX command in Splunk Search

Proper REX command

tb5821 — Thu, 18 Jul 2013 13:55:26 GMT

What would the proper REX command be to extract the following:

SPACE:SPACE then a numeric string

so ends up being ' : 949495'

Re: Proper REX command

alacercogitatus — Thu, 18 Jul 2013 14:21:41 GMT

Any regex tutorial would have the regex. This one only extracts the digits.

your_search | rex field=_raw "\s:\s(?<extracted>\d+)"

Re: Proper REX command

rgcurry — Thu, 18 Jul 2013 14:26:08 GMT

Putting the "\s:\s" into the capture string will include it all -- if that is what you are wanting. This is how I am reading your desired results, else what alacercogitatus provided is right on target.

Re: Proper REX command

tb5821 — Thu, 18 Jul 2013 15:36:32 GMT

Yes all of it is what I want, I need to make one more clarification is that when its present its ALWAYS at the END of the line. Its the last string. The rex above is pulling data out in the middle of the line as well which is not desired.

Re: Proper REX command

alacercogitatus — Thu, 18 Jul 2013 15:48:34 GMT

your_search | rex field=_raw "(?<extracted>\s:\s\d+)$"

Re: Proper REX command

tb5821 — Thu, 18 Jul 2013 16:26:10 GMT

Thats producing a field with the decimal included...

Re: Proper REX command

Ayn — Thu, 18 Jul 2013 18:40:50 GMT

Which decimal?

Re: Proper REX command

Ayn — Thu, 18 Jul 2013 18:41:33 GMT

If you don't want to include the string matched by \s:\s, just leave it out of the matching group.

Re: Proper REX command

tb5821 — Thu, 18 Jul 2013 19:12:37 GMT

Not sure how to do that and ensure it still matches on ' : 949495'

Re: Proper REX command

amit_saxena — Thu, 18 Jul 2013 19:25:23 GMT

Hi,

Let me know how following works for you.

rex "(?i)(?P<var> : [0-9]+)$"

Regards,
Amit Saxena

Re: Proper REX command

Ayn — Thu, 18 Jul 2013 19:26:02 GMT

It's basically what's in alacer's initial answer but you add the $ at the end. You may not know regex but reading through the answers and comments should give you some idea anyway.

Re: Proper REX command

tb5821 — Thu, 18 Jul 2013 19:40:56 GMT

Error in 'rex' command: Encountered the following error while compiling the regex '(?i)(?P : [0-9]+)$': Regex: unrecognized character after (?P

Re: Proper REX command

amit_saxena — Thu, 18 Jul 2013 19:42:58 GMT

Oh ! That was a typo from my side. Try the following and let me know the outcome.

rex "(?i)(?P : [0-9]+)$"

Re: Proper REX command

amit_saxena — Thu, 18 Jul 2013 19:43:53 GMT

Wait ! no matter I put correct answer, some characters are getting truncated when I submit the post ! I am posting the answer again in "post your answer" section.

Re: Proper REX command

amit_saxena — Thu, 18 Jul 2013 19:49:29 GMT

Hi,

Try the following regular expression.

rex "(?i)(?P<var> : [0-9]+)$"

Note : Please add "< var >" ( without spaces and quotes ) after "?P" in the regular expression. Due to some issue, the "<" and ">" characters are getting truncated from my post.

Regards,
Amit Saxena

Re: Proper REX command

alacercogitatus — Thu, 18 Jul 2013 19:59:22 GMT

A better sample of data would help with the regex.

Re: Proper REX command

amit_saxena — Thu, 18 Jul 2013 20:05:11 GMT

Let me know if this works.

rex "(?i)(?P : [0-9]+)$"

Re: Proper REX command

amit_saxena — Thu, 18 Jul 2013 20:06:30 GMT

Still the characters in my post are getting truncated and I don't know why 😞

Re: Proper REX command

tb5821 — Thu, 18 Jul 2013 20:20:11 GMT

can you put it in a code block?

Re: Proper REX command

amit_saxena — Fri, 19 Jul 2013 06:45:45 GMT

Putting the expression inside a code block.

rex "(?i)(?P<var> : [0-9]+)$"l

Hopefully this time, there are no characters that gets truncated

Let me know if it works for you

Regards,
Amit Saxena