Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Fields from unstructured data (rex help)

msarro
Builder
‎04-07-2011 06:49 PM

Hey everyone, I am trying to get a rex written that will suck out a few key items from data that I'm taking into splunk. Here's an example of the lines from the event that I'm interested in:

Key: User License - 23 out of 100 used
Key: Group License - 21 out of 2147483647 used
Key: maxTrunkGroupCallCapacity - 0 out of 50 used

Now, the numbers I'm interested in getting out of each of these lines are the User license count, the group license count, and the trunk call capacity, as well as the purchased license count. What I think makes this difficult is that the numbers aren't zero padded, which in posix regex makes it harder. The numbers can change depending on what each server's license allows for. I'm still learning PCRE. Could anyone give me a hand writing a rex to grab these values?

Thanks!

Tags (2)
0 Karma
Reply

proctorgeorge
Path Finder
‎04-07-2011 07:31 PM

Hey Msarro,

Have you tried using the Interactive Field Extractor?

Maybe look Here.

This is a great tool, especially for us who are hesitant in out abilities with regex.

Zero padding should not matter, you will probably be using "\d" for digits, and just throwing on a + will give you "one or more times", thus,

\d+

means 1 or more digits. For example it would match 0, 02312300123, or 23.

Either way, starting with the IFE to give you a good guess at the regex and then all that matters is making sure you understand what Splunk is saying with the regex it generates and editing it if you notice and errors.

GL!

0 Karma
Reply

netwrkr
Communicator
‎04-07-2011 08:03 PM

The v4.2 Interactive Field Extractor sucks IMO. Highly recommend using something like RegEx Buddy or RegEx Magic. They are cheap apps but really make short work of regex's.

0 Karma
Reply

msarro
Builder
‎04-07-2011 07:34 PM

I actually tried it. After using it on 23 and 100 it worked fine. However on 21 it choked and couldn't locate the field.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform

 Are you ready to revolutionize your IT operations? As digital transformation accelerates, the demand for ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...

Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...

Financial services organizations face an impossible equation: maintain 99.9% uptime for mission-critical ...