Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Extracting number from a string in order to use st...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
paulito
Explorer
02-04-2022
11:32 AM
Data:
SERVICEPERFDATA::'total 120m'=8%;95;97 SERVICECHECKCOMMAND::check_nrpe3!check_cpu!-a!"warn=load > 95" "crit=load > 97" "time=120m"!"detail-syntax=%(load)% load for %(time) - Thresholds: Warn gt 95%, Crit gt 97%"!show-all!!! HOSTSTATE::UP HOSTSTATETYPE::HARD SERVICESTATE::OK SERVICESTATETYPE::HARD SERVICEOUTPUT::OK: 8% load for 120m - Thresholds: Warn gt 95%, Crit gt 97%
I just need one of the "8%" to be extracted as a number so I can see the average over time for example.
Am I correct in thinking regex can do this?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
02-04-2022
02:54 PM
Hi there,
if the format of the string is always the same you can use rex to get the first 8 like this
| makeresults
| eval foo="SERVICEPERFDATA::'total 120m'=8%;95;97 SERVICECHECKCOMMAND::check_nrpe3!check_cpu!-a!\"warn=load > 95\" \"crit=load \> 97\" \"time=120m\"!\"detail-syntax=%(load)% load for %(time) - Thresholds: Warn gt 95%, Crit gt 97%\"!show-all!!! HOSTSTATE::UP HOSTSTATETYPE::HARD SERVICESTATE::OK SERVICESTATETYPE::HARD SERVICEOUTPUT::OK: 8% load for 120m - Thresholds: Warn gt 95%, Crit gt 97%"
| makemv delim="X" foo
| mvexpand foo `comment("Anything above is to generate events")`
| rex field=foo "\dm\'=(?<perc>\d)\%"
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
02-04-2022
02:54 PM
Hi there,
if the format of the string is always the same you can use rex to get the first 8 like this
| makeresults
| eval foo="SERVICEPERFDATA::'total 120m'=8%;95;97 SERVICECHECKCOMMAND::check_nrpe3!check_cpu!-a!\"warn=load > 95\" \"crit=load \> 97\" \"time=120m\"!\"detail-syntax=%(load)% load for %(time) - Thresholds: Warn gt 95%, Crit gt 97%\"!show-all!!! HOSTSTATE::UP HOSTSTATETYPE::HARD SERVICESTATE::OK SERVICESTATETYPE::HARD SERVICEOUTPUT::OK: 8% load for 120m - Thresholds: Warn gt 95%, Crit gt 97%"
| makemv delim="X" foo
| mvexpand foo `comment("Anything above is to generate events")`
| rex field=foo "\dm\'=(?<perc>\d)\%"
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
paulito
Explorer
02-07-2022
08:11 AM
Thank you so much, that last line works perfectly.
Can I ask if this will capture a multiple digit number?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
02-07-2022
11:25 AM
Hi there,
for multiples digits you have to add a + like this:
| rex field=foo "\dm\'=(?<perc>\d+)\%"
cheers, MuS
Get Updates on the Splunk Community!
.conf25 Registration is OPEN!
Ready. Set. Splunk!
Your favorite Splunk user event is back and better than ever. Get ready for more technical ...
Detecting Cross-Channel Fraud with Splunk
This article is the final installment in our three-part series exploring fraud detection techniques using ...
Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside
Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...
