Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Can you help me create a regular expression to extract 2 values from a string?

arjun_krishna
Explorer
‎01-10-2019 04:03 AM

log1: 

com.google.AbcdExtension] [mthd] | null - Bound **CLINIC-MBR-GROUP-INC**:23490110094900 -- total execution took **14** seconds

log2: 

com.google.AbcdExtension] [mthd] | null - Bound DEAF-RECO:12310110094900 -- writing 3 records took 14 seconds

log3: 

com.google.AbcdExtension] [mthd] | val - Bound EYE-TRIO-GRP-INCREMENTAL:201901342421 -- backup strategy execution took 0 seconds

log4: 

com.google.AbcdExtension] [mthd] | val - Bound **HOSPITAL-CARE-GROUP**:201123131323 -- total execution took **3425** seconds

From the above 4 logs, i want to extract log1 and log4 values, like the below table (highlighted)

HospName                Timee
CLINIC-MBR-GROUP-INC      14
HOSPITAL-CARE-GROUP       3425

I have tried the below query, but it's giving junk also: 

index="*randix*" source="*.log*" sourcetype="abcd-xyz*" "com.google.AbcdExtension" | rex "- Bound (?<HospName>[^\:]*)" | rex "-- total execution took (?<Timee>[\w]*)" | table HospName Timee

Could you please correct my query

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-10-2019 05:47 AM

@arjun_krishna ,

Try

"Bound\s(?<HospName>[\w-]+):\d+ -- total execution took\s(?<Time>\d+)\s"
Happy Splunking!

View solution in original post

Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎01-10-2019 05:50 AM

Could you explain how we know for sure which entries are junk and which entries are not junk? It is just those two things, "CLINIC-MBR-GROUP-INC" and "HOSPITAL-CARE-GROUP" that are OK, and everything else is junk, or is it that EYE* and DEAF* are junk and everything else is good?

0 Karma
Reply
Solved! Jump to solution

arjun_krishna
Explorer
‎01-10-2019 06:07 AM

"Bound\s(?[\w-]+):\d+ -- total execution took\s(?\d+)\s"
with this query i am exacting the required HospName, TIme attribues , but in table representation getting other logs too. due to this table becomes empty for most rows

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎01-10-2019 06:40 AM 
index="*randix*" source="*.log*" sourcetype="abcd-xyz*" "com.google.AbcdExtension" | rex "- Bound (?<HospName>[^\:]*)" | rex "-- total execution took (?<Timee>[\w]*)" | search HospName=* | table HospName Timee

Which just searches for the ones where HospName is in the data, after you've extracted?

You could flip that and just search for the data you want first, then extract:

index="*randix*" source="*.log*" sourcetype="abcd-xyz*" "com.google.AbcdExtension" ("HOSPITAL-CARE-GROUP" OR  "CLINIC-MBR-GROUP-INC")
| rex "- Bound (?<HospName>[^\:]*)" | rex "-- total execution took (?<Timee>[\w]*)" | table HospName Time

NOTE in both cases I did not make any other changes to your extraction or search, just copied and pasted it from above so you can compare and see what I did. It might work as is, but also there are other suggestions for chunks of it that people have already posted - those might work better with the additions I made.

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-10-2019 05:48 AM

I see nothing wrong with your query. Like @renjith.nair said, you could use \d instead of \w, but both should work. What results are you getting and what are you expecting?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

renjith_nair
Legend
‎01-10-2019 05:47 AM

@arjun_krishna ,

Try

"Bound\s(?<HospName>[\w-]+):\d+ -- total execution took\s(?<Time>\d+)\s"
Happy Splunking!
Reply
Solved! Jump to solution

arjun_krishna
Explorer
‎01-10-2019 06:04 AM

With above query getting exact logs, but getting junk logs, due to that my table becomes empty for most of the rows

0 Karma
Reply
Solved! Jump to solution

arjun_krishna
Explorer
‎01-11-2019 02:10 AM

Thanks for the help @renjith.nair , I want ti take a timechart/linechart to get HospName is x-axis and Time (the time taken for each) in y-axis

I have tried below
|timechart count by HospName, Time but not getting any chart
Please help me on this

0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-11-2019 02:37 AM

@arjun_krishna , timechart is for plotting the values over a period of time. In your case ,

chart max(Time) by HostName should work

Happy Splunking!
0 Karma
Reply
Solved! Jump to solution

renjith_nair
Legend
‎01-10-2019 06:16 AM

Ok, just add "total execution took" this to your base search to filter only those events where you have values

index="*randix*" source="*.log*" sourcetype="abcd-xyz*" "com.google.AbcdExtension" "total execution took"
Happy Splunking!
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...