Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extracting data which is incosistent

nateNpgh
Loves-to-Learn Lots
‎06-30-2023 06:15 AM

I need to extract a time value from log file where the time value appears with a few different variations of characters around it.  I'm struggling with handling all the variations through my regex extract.

Below are examples of each of the variations:

ChainedQuery elapsed time [90]ms

Elapsed time: 114ms

Elapsed time to get Service pool: 339

Elapsed Time: 69

,took 37ms

Is there a way to extract all the numeric values with 1 regex?

 

Labels (2)
Labels
0 Karma
Reply

nateNpgh
Loves-to-Learn Lots
‎06-30-2023 06:38 AM

I just need to be able to handle the variations I included.

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2023 06:41 AM

Just use an alternative within a group and you're set.

(Prefix1|prefix2|prefix3)(?<capture_field>\d+)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎07-04-2023 10:34 AM

Hi

With those examples this should work https://regex101.com/r/jBOkh7/1

\s+[\[]?(\d+)

But this expecting that in field where you are extracting these values haven't been anything else. If those contains other text you need to modify that.

r. Ismo 

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎06-30-2023 06:35 AM

It depends how many different variants you expect to encounter and how fool-proof you want this solution to be. If you go too broadly - for example extracting every sequence of digits after a "elapsed" word (would need a separate branch for the "took" version) - you risk getting unrelated data extracted.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...