topic Regex Help for special characters in Splunk Search

Regex Help for special characters

chanukhya — Tue, 29 Nov 2016 23:10:14 GMT

Hi,

My log looks like this. I am trying to get the average response time by service.

ServiceInvoker (service_A) : executeFlow : Time Take is = 3378
ServiceInvoker (service_B) : executeFlow : Time Take is = 378
ServiceInvoker (service_C) : executeFlow : Time Take is = 338

Here is what i have:

 index=app  |rex '\ServiceInvoker\s+"((?<service>\S+))"\s+:\s+executeFlow\s+:\s+Time\s+take\s+is\s+=\s+(?<response_time>\d+)'   | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

The brackets that are surrounding the service name is causing an issue for retrieving the results. Any help or ideas would be appreciated.
Thanks in advance

Re: Regex Help for special characters

sundareshr — Tue, 29 Nov 2016 23:16:03 GMT

Try this

*UPDATED

index=app  |rex "[^\(]+\((?<servicename>[^\)]+)\)[^=]+=[\s\t]+(?<response_time>\d+)"  | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

*OR*

index=app  |rex "[^\(]+\((?<servicename>[^\)]+)" | rex "=[\s\t]+(?<response_time>\d+)"  | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service

Re: Regex Help for special characters

aljohnson_splun — Tue, 29 Nov 2016 23:17:40 GMT

Hi @Chanukhya,

Just escape the ( with a backslash.

https://regex101.com/r/BTBkvw/1

ServiceInvoker\s+\((?<service_name>\w+)\)\s+:\s+(?<service_flow>\w+)\s+:[^=]+=\s(?<response_time>\d+)

Re: Regex Help for special characters

chanukhya — Tue, 29 Nov 2016 23:34:24 GMT

Sorry, It didn't work. Updated my question.

Re: Regex Help for special characters

chanukhya — Tue, 29 Nov 2016 23:34:51 GMT

Sorry, It didn't worked.

Re: Regex Help for special characters

sundareshr — Tue, 29 Nov 2016 23:42:01 GMT

Try the updated query

Re: Regex Help for special characters

chanukhya — Tue, 29 Nov 2016 23:46:24 GMT

It didn't worked as well, The service names are different and some service names has an underscore in the name and some dont. I am trying to get the average response times and count for each service, which is in between the brackets.

Re: Regex Help for special characters

gokadroid — Tue, 29 Nov 2016 23:57:23 GMT

Try this:

index=app 
|rex field=_raw "(.*|^)ServiceInvoker\s*\((?<service_name>[^\)]+)\)\s*.*Time\s*Take\s*is\s*\=\s*(?<respTime>[\d]+)"
| stats  sparkline(avg(respTime),1m) as processTime_trend, avg(respTime),count BY service_name

See here the regex in action

Re: Regex Help for special characters

sundareshr — Wed, 30 Nov 2016 00:07:01 GMT

Do you see any results when you try this

index=app  | rex "[^\(]+\((?<servicename>[^\)]+)\)[^=]+=[\s\t]+(?<response_time>\d+)"  | table servicename response_time

Re: Regex Help for special characters

gcusello — Wed, 30 Nov 2016 06:45:57 GMT

Remember to put backslash before =
Bye.
Giuseppe

Re: Regex Help for special characters

chanukhya — Wed, 30 Nov 2016 16:03:33 GMT

Thanks for your help.

Re: Regex Help for special characters

lakromani — Wed, 30 Nov 2016 16:14:42 GMT

Do you need all the line in the regex? If not, you can do like this:

index=app  | rex "Time Take is =\s(?<respnse_time>\d+)"  | stats  sparkline(avg(response_time),1m) as processTime_trend, avg(response_time),count BY service