how to write Regex for matching two strings with n...

james_n · ‎11-28-2018

Hi,

I have a data like

event 1 classA Total number of calls happened: 1104

event 2 ClassA Marked the calls in finalization: 1111

event 3 classA Total number of calls happened: 10

So, i would like to write regex for matching two fields one for string and another for number in all events

Expected output:

Transactions count

Total number of calls happened 1114

Marked the calls in finalization 1111

woodcock · ‎11-28-2018

Like this:

| makeresults | eval raw="classA Total number of calls happened: 1104:::classA Marked the calls in finalization: 1111:::classA Total number of calls happened: 10"
| fields - _time
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "^(?<class>\S+)\s+((?:Total number of calls happened:\s*(?<happened>\d+))|(?:Marked the calls in finalization:\s*(?<finalized>\d+)))$"
| stats sum(*) AS * BY class

FrankVl · ‎11-28-2018

Try something like this:

| rex "(?:c|C)lassA\s(?<Transactions>[^:]):\s(?<count>\d+)"
| chart sum(count) as count over Transactions

james_n · ‎11-28-2018

if it is StateImpl_CCC Total number of calls happened 1114 instead of classA Total number of calls happened: 1104 ??

FrankVl · ‎11-28-2018

Try | rex "\w+\s(?<Transactions>[^:]):\s(?<count>\d+)"

how to write Regex for matching two strings with numbers

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

how to write Regex for matching two strings with numbers

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR