topic Re: Regex to extract a number from string in Splunk Search

Regex to extract a number from string

ahogbin — Tue, 02 Feb 2016 23:42:28 GMT

Hello,

I am trying (rather unsuccessfully) to extract a number of varying length form a sting. The constants are 0s and us with the string in question being 0s/XXXXXus (with X being the numbers I am trying to extract - the number length varies).

I have tried some examples but none do what i am after (most likely due to the fact that I am not sure how best to modify them).

My expression is "0s/(?\d+)us$" but as mentioned above it is not working.

Help !!!

Much thanks in adavance for any help or pointers.

Cheers,

Alastair

Re: Regex to extract a number from string

somesoni2 — Tue, 02 Feb 2016 23:47:24 GMT

Without sample data, it would be tough to provide most correct option but give this a try

your base search | rex field=_raw "0s\/(?<YourNumber>\d+)us$"

Re: Regex to extract a number from string

Richfez — Wed, 03 Feb 2016 00:22:09 GMT

If you have difficulty, try removing the trailing $ sign. In that context it means "the end of the entire line" and as somesoni2 mentioned without sample data it's hard to confirm if it's the end of the string or not.

your base search | rex field=_raw "0s\/(?<YourNumber>\d+)us"

Re: Regex to extract a number from string

ahogbin — Tue, 29 Sep 2020 08:39:05 GMT

Umm... still no joy.

The sample data is
10.93.10.26 - - [03/Feb/2016:11:02:41 +1100] "POST /web/uw-wbc/motor-quote?p_auth=9TDBHxxK&p_p_id=InternetMotorQuotePortlet_WAR_UnderwritingManagementView&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=2&p_p_col_pos=1&InternetMotorQuotePortlet_WAR_UnderwritingManagementViewfacesViewIdRender=%2FWEB-INF%2Fpages%2Fquote%2Fmotor-internet%2FvehicleDetailsInternet.xhtml HTTP/1.1" 200 98343 "https://www.einsure.com.au/safire/web/uw-wbc/motor-quote?p_auth=9TDBHxxK&p_p_id=InternetMotorQuotePortlet_WAR_UnderwritingManagementView&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=2&p_p_col_pos=1&_InternetMotorQuotePortlet_WAR_UnderwritingManagementView_facesViewIdRender=%2FWEB-INF%2Fpages%2Fquote%2Fmotor-internet%2FyourDetails.xhtml" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" - 98343 bytes 1s/1754987us Unauthenticated 00009CLAaSHjoHtKqKTPFURE3ob:18mta0ukm

and the attempted extraction appears towards the end of the sample (after the word bytes). I have amended to include the varying number before 's'

rex field=_raw "\ds\/(?<RESP>\d+)us$"

Thank you for the help so far

Cheers,

Alastair

Re: Regex to extract a number from string

ahogbin — Wed, 03 Feb 2016 00:26:17 GMT

Perfect... as you suggested I just needed to remove the trailing $ as the data did not occur at the end of the line.

Please ignore the post below

Thank you so much

Re: Regex to extract a number from string

Lowell — Wed, 03 Feb 2016 14:58:07 GMT

I've found regex101.com to be very helpful debugging regexes, and there's a good bit of online help available on the page if you need a refresher on regex syntax. For learning regexes and advanced topics, check out www.regular-expressions.info

Re: Regex to extract a number from string

ramark — Fri, 08 Mar 2019 16:29:04 GMT

I want extract 301. Log "GET / HTTP/1.1" 301 248.
Thanks,I want to extract 301 in "GET / HTTP/1.1" 301 248. Any help.
Thanks

Re: Regex to extract a number from string

richgalloway — Fri, 08 Mar 2019 16:38:11 GMT

@ramark This thread is more than three years old and has an accepted answer so it's unlikely anyone will see your response. If you are having a similar problem, please post a new question describing it and how this answer did not solve it.

Re: Regex to extract a number from string

macadminrohit — Fri, 08 Mar 2019 16:41:23 GMT

"GET \/ HTTP\/\d.\d" (?\d{3})

Re: Regex to extract a number from string

ramark — Fri, 08 Mar 2019 17:16:30 GMT

|rex field=_raw "GET \/ HTTP\/\d.\d" (?\d{3})

Error in 'rex' command: The regex 'GET \/ HTTP\/\d.\d' does not extract anything. It should specify at least one named group. Format: (?...).

Re: Regex to extract a number from string

ramark — Fri, 08 Mar 2019 17:16:50 GMT

thanks for the help

Re: Regex to extract a number from string

macadminrohit — Fri, 08 Mar 2019 17:17:56 GMT

"GET \/ HTTP\/\d.\d" (?<Number>\d{3})

Not sure why the named group got missed in my response.