how to write Regex for matching two strings with n...

james_n · ‎11-28-2018

Hi,

I have a data like

event 1 classA Total number of calls happened: 1104

event 2 ClassA Marked the calls in finalization: 1111

event 3 classA Total number of calls happened: 10

So, i would like to write regex for matching two fields one for string and another for number in all events

Expected output:

Transactions count

Total number of calls happened 1114

Marked the calls in finalization 1111

woodcock · ‎11-28-2018

Like this:

| makeresults | eval raw="classA Total number of calls happened: 1104:::classA Marked the calls in finalization: 1111:::classA Total number of calls happened: 10"
| fields - _time
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "^(?<class>\S+)\s+((?:Total number of calls happened:\s*(?<happened>\d+))|(?:Marked the calls in finalization:\s*(?<finalized>\d+)))$"
| stats sum(*) AS * BY class

FrankVl · ‎11-28-2018

Try something like this:

| rex "(?:c|C)lassA\s(?<Transactions>[^:]):\s(?<count>\d+)"
| chart sum(count) as count over Transactions

james_n · ‎11-28-2018

if it is StateImpl_CCC Total number of calls happened 1114 instead of classA Total number of calls happened: 1104 ??

FrankVl · ‎11-28-2018

Try | rex "\w+\s(?<Transactions>[^:]):\s(?<count>\d+)"

how to write Regex for matching two strings with numbers

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

how to write Regex for matching two strings with numbers

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!