Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extreme rex help

ddefer
New Member
‎11-12-2020 10:39 AM

I am comfortable with the rex command when straightforward text strings are involved.

I've got something that is decidedly NOT a straightforward text string.  It is a substring in a larger log entry (not shown) and looks like this:

RESULTVECTOR="{2106177} EMAAC02:0(16)/EMACC65:0(68)/BPOSTK01:0(476[11+436+11])/BPOSCC01:0(2072)/BPOSTK01:0(629[15+590+9])/BPOSCC02:0(867)/EMACC28:0(42)/BPOSRT01:0(101)/EMACC65:0(129)/BPOSRT10:0(2063152[15+2063087+31])/EMACC65:0(30)/EMAAC10:0(37884[13+37829+25])/EMACC51:0(23)

The first part identifies complex substring part (RESULTVECTOR) and the overall response time for a transactions.   The rest is a set of sorta-name-value-pairs (delimited by "/") that tell me a <sub-process name>:<sub-process response code>(<sub-process response time>)[<optional set of sub-sub-process response times of arbitrary length, delimited by "+">] 

I want to recursively process this string to, at a minimum, the total response time and a set of details for each sub-process (I am willing to ignore the sub-sub-process data for now).

I can't get past the first sub-process.  My attempt at rex so far is:

rex field=_raw max_match=100 " RESULTVECTOR=\"{(?<TOTAL_RESP>.*)} (?<A_PROC>\w+):(?<A_RC>\d+)\((?<A_RESP>\d+).*"

Is it even possible to capture the data I need using rex? 

 

Labels (4)
Labels
Tags (1)
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-12-2020 11:02 AM

If you split it into two rex you could do this

| rex " RESULTVECTOR=\"{(?<TOTAL_RESP>.*)} (?<responses>.*)"
| rex max_match=0 field=responses "(?<A_PROC>\w+):(?<A_RC>\d+)\((?<A_RESP>\d+)(?<subsub>\[[\d\+]+\])?"
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...