topic Re: Help with rex regex to extract a field value for a chart? in Splunk Search

Help with rex regex to extract a field value for a chart?

mark_chuman — Wed, 20 Aug 2014 17:34:22 GMT

I have a search that will return the log entry below. The search is here:

< "Authentication succeeded for user [*] in tenant [vsphere.local] in [*] milliseconds" host=valuetonarowdownhost >

Text
Authentication succeeded for user [userid@domain] in tenant [vsphere.local] in [185] milliseconds

But I would like to create a rex value for any integer between the last brackets (here it's 185) and then create a chart for it. I'm trying to trend on how long it takes to authenticate a user. Been trying in vain to come up with an expression that works for me.

Any help appreciated!

Re: Help with rex regex to extract a field value for a chart?

grijhwani — Wed, 20 Aug 2014 17:54:33 GMT

The quickest solution to the problem would be to use the interactive field extractor tool. That will give you a rex pattern you can work with, although having generated the field extraction, you could just save it and use it by name.

The following might suit your needs:

| rex "^.*\[.*\[.*\[(?P<millisec>[0-9]+)"

Re: Help with rex regex to extract a field value for a chart?

mark_chuman — Mon, 28 Sep 2020 17:22:26 GMT

Thank you, very powerful. It's working now, in that I'm able to chart out the average of that specific value (I'll call it logon_time) and I have a field now called logon_time. So, I'll have the search and then add on | timechart avg(logon_time). That gives me the daily average for that value over time using the logs from all the hosts. Any idea how I would expose the average for each host and have it overlap on the same chart? Also, I don't necessarily need the average, but just the raw value. I was trying something like | select time_logon | timechart count by host..

Re: Help with rex regex to extract a field value for a chart?

somesoni2 — Wed, 20 Aug 2014 19:45:27 GMT

Try something like this (for your followup question)

your base search | rex "^.*\[.*\[.*\[(?P<logon_time>[0-9]+)" | eval host="host_".host| timechart avg(logon_time) by host | addtotals fieldname=AllHosts host_* | rename host_* as *

Re: Help with rex regex to extract a field value for a chart?

mark_chuman — Mon, 28 Sep 2020 17:22:29 GMT

Thanks! Any reason why wouldn't be able to adjust this part - |timechart avg(logon_time) to | timechart (logon_time) - ie, you just want the raw data and not have it averaged.

Re: Help with rex regex to extract a field value for a chart?

grijhwani — Thu, 21 Aug 2014 23:53:01 GMT

Yes. You have to have some function to aggregate all results falling into the same time slot. Examples would be avg() or sum().