topic Re: How to extract particular value using regular expression? in Splunk Search

How to extract particular value using regular expression?

chetanhonnavile — Tue, 14 Feb 2017 19:41:36 GMT

In the below event "status" key has the value either "1" or "0" . I am looking out to extract those "status" having the value "0" and put them in a field

please help me out in getting a regular expression for this.

2017-02-14 18:47:28.572 INFO  SomePlaceHolder-5 [.abc.def.nothingishere]  - string response: <200 OK,{"clips":[{"myid":"123456","historyid":"777-888-999","provider":"somecompany","status":1,"userType":1}]},{X-Backside-Transport=[OK OK], Connection=[Keep-Alive], Transfer-Encoding=[chunked], Content-Type=[application/json], X-Powered-By=[ARR/3.0,ASP.NET], Date=[Tue, 14 Feb 2017 18:47:28 GMT], X-Client-IP=[10.0.0.0.], X-Global-Transaction-ID=[9876543]}>

Re: How to extract particular value using regular expression?

cpetterborg — Tue, 14 Feb 2017 20:29:11 GMT

Do you only want the ones with 0 as the value? This is the general solution:

... | rex "\"state\":(?P<status>\d),"

Re: How to extract particular value using regular expression?

richgalloway — Tue, 14 Feb 2017 20:34:56 GMT

Something like this, perhaps?

index=foo | regex "\"status\":0" | ...

Re: How to extract particular value using regular expression?

chetanhonnavile — Tue, 14 Feb 2017 21:11:04 GMT

yeah,looking for only status:0

well the query you provided gives me the same number of events combining both 0's and 1's.

if i am filtering it for only 0's then the event count will be too small.

Re: How to extract particular value using regular expression?

chetanhonnavile — Tue, 14 Feb 2017 21:12:38 GMT

this is working...thanks!

now i am trying to put them in a field.

Re: How to extract particular value using regular expression?

chetanhonnavile — Tue, 14 Feb 2017 21:14:15 GMT

well this solution looks like regular regex.

i am finding difficulty in understanding the 'rex' conventions used in splunk ,any good explanatory document at your end ?

Re: How to extract particular value using regular expression?

DalJeanis — Tue, 14 Feb 2017 22:27:11 GMT

Put precisely WHAT in a field?

Re: How to extract particular value using regular expression?

cpetterborg — Tue, 14 Feb 2017 23:19:51 GMT

If you just want a count, you can do this:

 ... | rex "\"state\":(?P<status>\d)," | search status=0 | stats count

or this:

 ... | rex "\"state\":(?P<status>0)," | where status=* | stats count

Re: How to extract particular value using regular expression?

gvmorley — Wed, 15 Feb 2017 04:16:39 GMT

Have a read of the section regarding 'named capture groups' here:

http://www.regular-expressions.info/named.html

This should be a good starting point to see how the rex command (not the regex command), can be used to create field / value pairs.

Building on the great answers above, think of it like this.

Find the part of your string which you want to match, then wrap it in brackets.

So if you wanted to find the digit after "status": you could write:

"\"status\":(\d)"

Now if you want to give that a field name (lets call it 'status_value') using rex, you could do:

"\"status\":(?<status_value>\d)"

In Splunk, you should now have a field called 'status_value' containing the digit from your event.

But the http://www.regular-expressions.info site is a great place to read up on regex in general.