Solved: Need help with REX after a String - Splunk Community

Dashboards & Visualizations

Hi Team,

I am trying to extract the value after a particular string format and its not getting the right value.

The Value i wanted is after this string "COUNT(1)=*"

{ORD_CRTN_DTE=XXXXXXXX, COUNTRY=XXXXXX, AGENCY=XXXXXXX, PGM_CDE=XXXXXXX, COUNT(1)=1}]

I am using the the below rex and its not giving the value of the count i.e 1. The Rex I am using is below.

rex "COUNT(1)=(?<Count>\d+)"

1 Solution

Solution

You were *so* close. Literal parentheses need to be escaped in regular expressions. Otherwise, they're treated as a capture group.

| rex "COUNT\(1\)=(?<Count>\d+)"

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Solution

You were *so* close. Literal parentheses need to be escaped in regular expressions. Otherwise, they're treated as a capture group.

| rex "COUNT\(1\)=(?<Count>\d+)"

---
If this reply helps you, Karma would be appreciated.

Thanks a lot Rich 🙂

Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...