- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: rex - extract 2 single values from set of numb...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello guyz,
new to splunk was to figure out solution for this.
I have logs like below need to do " rex" and extract 2 values (1st and 4th) from each log with set like [23,23.000,89.375,35,0], [1,1.000,16.000,4,0] etc.
ex.,
value1- "23" and save in new field with name conferences from every log
value4- "35" and save in new field with name calls from every log
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I modified the regex above a little to get the correct fields.
^server:\s\[\w+\]\s:\s{\"\d+\"\s\:\s\[(?P<conferences>\d+),\d+.\d+[^,],\d+.\d+,(?P<calls>\d+),\d+\]\}
If you're new to regex, here's a great website to help. You can use it to try regex expressions and collaborate with others to help you become an expert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this
| makeresults
| eval msg="server: [USAGE] : {\"2\" : [23,23.000,89.375,35,0]}
host = us-voice-vmr11.corp.com"
| append
[| makeresults
| eval msg="server: [USAGE] : {\"2\" : [1,1.000,16.000,4,0]}
host = gs-voice-vmr12.corp.com"]
| rex field=msg "^server:\s\[\w+\]\s:\s\{\"\d+\"\s:\s\[(?P<temp>.+)\]}"
| eval values = split(temp,",")
| eval conferences = mvindex(values,0)
| eval calls = mvindex(values,3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I modified the regex above a little to get the correct fields.
^server:\s\[\w+\]\s:\s{\"\d+\"\s\:\s\[(?P<conferences>\d+),\d+.\d+[^,],\d+.\d+,(?P<calls>\d+),\d+\]\}
If you're new to regex, here's a great website to help. You can use it to try regex expressions and collaborate with others to help you become an expert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @splunkuseradmin ,
Try using this regex:
rex field=_raw "^server:\s\[\w+\]\s:\s{\"\d+\"\s\:\s\[\d+,(?P<conferences>\d+.\d+[^,]),\d+.\d+,(?P<calls>\d+),\d+\]\}"
Let me know if this helps!!
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
