Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract field values

msarkaus
Path Finder
‎02-27-2025 11:04 AM

Hello, I’m trying to only pull a spefic value from the msgTxt log. In the log below, the example is 2024. This value does change and could be one digit or up to 6 digits.

msgTxt = xxiskServicxxxapper - MxxeNext completed in 2024 ms. (request details: environment: Production | desired services: BusixxxsOwnexxxerritory | property type: Commercial | address: x RxxxDANx DR , xxxSHFIELD , xx 02xx0)

Below is the search I'm trying to use but its not working. Any help would be apreseated.

| eval msgTxt=" msgTxt: xxiskServicxxxapper - MxxeNext completed in 2024 ms. (request details: environment: Production | desired services: BusixxxsOwnexxxerritory*"
| rex "in=(?<in>\w+)."
| stats count by in

Labels (1)
Labels
Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-27-2025 11:30 AM

You're very close.  Use \d (digit) in place of \w (word).  Also, remove the '=' since there is no such character in the data.

| rex "in (?<in>\d+)"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-27-2025 11:30 AM

You're very close.  Use \d (digit) in place of \w (word).  Also, remove the '=' since there is no such character in the data.

| rex "in (?<in>\d+)"

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

msarkaus
Path Finder
‎03-04-2025 12:10 PM

Sorry to be a bother, but what if there is a special char like = involved. I can't add the equal sign into my search query.

 

| eval msxxxt="*Action=GexxxxdledxxxxReport Duration=853*"
| rex "Duration (<?Duration>\d+)"
| timechart span=1h avg(Duration) AS avg_response by msxxxt

 

Thanks again for your help

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-04-2025 05:02 PM

The search command cannot search for '*'.  The '=' character also is a challenge.  You can, however, use regex to filter on these and other "special" characters.

| eval msxxxt="*Action=GexxxxdledxxxxReport Duration=853*"
| regex "="
| rex "Duration (<?Duration>\d+)"
| timechart span=1h avg(Duration) AS avg_response by msxxxt
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

msarkaus
Path Finder
‎02-27-2025 11:34 AM

Thank you

Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...