Solved: how to use regression expression to extract a fiel...

hqw · ‎10-04-2015

hi all,

i have one filed called value, it is a value like : 1006718, but it contains two information, 10067 is the real score, 18 is another filed called steps. May i know how can I separate this value into two fields, one is called real_value, another is called move_steps?

my search:
(label="Score*") value |stats count(_raw) by value |rename value AS Score

my result:
Score

1006718

echalex · ‎10-05-2015

Hi,

This regular expression is only valid if the value of steps always corresponds to the last two digits of value:

... |rex field=value "^(?<score>\d*)(?<steps>\d\d)$"

If steps can consist of one digit or more than two digits, then you can only guess.

View solution in original post

echalex · ‎10-05-2015

Hi,

This regular expression is only valid if the value of steps always corresponds to the last two digits of value:

... |rex field=value "^(?<score>\d*)(?<steps>\d\d)$"

If steps can consist of one digit or more than two digits, then you can only guess.

hqw · ‎10-05-2015

Hi echalex,

Thanks for your help, it really works.

Best Regards
hqw

vincenteous · ‎10-05-2015

Does the value have fixed format (in your example it's 7 digits format)?

how to use regression expression to extract a field

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

how to use regression expression to extract a field

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases