Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting number from a string in order to use st...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
paulito
Explorer
02-04-2022
11:32 AM
Data:
SERVICEPERFDATA::'total 120m'=8%;95;97 SERVICECHECKCOMMAND::check_nrpe3!check_cpu!-a!"warn=load > 95" "crit=load > 97" "time=120m"!"detail-syntax=%(load)% load for %(time) - Thresholds: Warn gt 95%, Crit gt 97%"!show-all!!! HOSTSTATE::UP HOSTSTATETYPE::HARD SERVICESTATE::OK SERVICESTATETYPE::HARD SERVICEOUTPUT::OK: 8% load for 120m - Thresholds: Warn gt 95%, Crit gt 97%
I just need one of the "8%" to be extracted as a number so I can see the average over time for example.
Am I correct in thinking regex can do this?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
02-04-2022
02:54 PM
Hi there,
if the format of the string is always the same you can use rex to get the first 8 like this
| makeresults
| eval foo="SERVICEPERFDATA::'total 120m'=8%;95;97 SERVICECHECKCOMMAND::check_nrpe3!check_cpu!-a!\"warn=load > 95\" \"crit=load \> 97\" \"time=120m\"!\"detail-syntax=%(load)% load for %(time) - Thresholds: Warn gt 95%, Crit gt 97%\"!show-all!!! HOSTSTATE::UP HOSTSTATETYPE::HARD SERVICESTATE::OK SERVICESTATETYPE::HARD SERVICEOUTPUT::OK: 8% load for 120m - Thresholds: Warn gt 95%, Crit gt 97%"
| makemv delim="X" foo
| mvexpand foo `comment("Anything above is to generate events")`
| rex field=foo "\dm\'=(?<perc>\d)\%"
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
02-04-2022
02:54 PM
Hi there,
if the format of the string is always the same you can use rex to get the first 8 like this
| makeresults
| eval foo="SERVICEPERFDATA::'total 120m'=8%;95;97 SERVICECHECKCOMMAND::check_nrpe3!check_cpu!-a!\"warn=load > 95\" \"crit=load \> 97\" \"time=120m\"!\"detail-syntax=%(load)% load for %(time) - Thresholds: Warn gt 95%, Crit gt 97%\"!show-all!!! HOSTSTATE::UP HOSTSTATETYPE::HARD SERVICESTATE::OK SERVICESTATETYPE::HARD SERVICEOUTPUT::OK: 8% load for 120m - Thresholds: Warn gt 95%, Crit gt 97%"
| makemv delim="X" foo
| mvexpand foo `comment("Anything above is to generate events")`
| rex field=foo "\dm\'=(?<perc>\d)\%"
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
paulito
Explorer
02-07-2022
08:11 AM
Thank you so much, that last line works perfectly.
Can I ask if this will capture a multiple digit number?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
02-07-2022
11:25 AM
Hi there,
for multiples digits you have to add a + like this:
| rex field=foo "\dm\'=(?<perc>\d+)\%"
cheers, MuS
Get Updates on the Splunk Community!
Prove Your Splunk Prowess at .conf25—No Prereqs Required!
Your Next Big Security Credential: No Prerequisites Needed
We know you’ve got the skills, and now, earning the ...
Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code
This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...
Splunk Answers Content Calendar, July Edition I
Hello Community!
Welcome to another month of Community Content Calendar series! For the month of July, we will ...
