Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Fields from unstructured data (rex help)
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fields from unstructured data (rex help)
Hey everyone, I am trying to get a rex written that will suck out a few key items from data that I'm taking into splunk. Here's an example of the lines from the event that I'm interested in:
Key: User License - 23 out of 100 used
Key: Group License - 21 out of 2147483647 used
Key: maxTrunkGroupCallCapacity - 0 out of 50 used
Now, the numbers I'm interested in getting out of each of these lines are the User license count, the group license count, and the trunk call capacity, as well as the purchased license count. What I think makes this difficult is that the numbers aren't zero padded, which in posix regex makes it harder. The numbers can change depending on what each server's license allows for. I'm still learning PCRE. Could anyone give me a hand writing a rex to grab these values?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Msarro,
Have you tried using the Interactive Field Extractor?
Maybe look Here.
This is a great tool, especially for us who are hesitant in out abilities with regex.
Zero padding should not matter, you will probably be using "\d" for digits, and just throwing on a + will give you "one or more times", thus,
\d+
means 1 or more digits. For example it would match 0, 02312300123, or 23.
Either way, starting with the IFE to give you a good guess at the regex and then all that matters is making sure you understand what Splunk is saying with the regex it generates and editing it if you notice and errors.
GL!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The v4.2 Interactive Field Extractor sucks IMO. Highly recommend using something like RegEx Buddy or RegEx Magic. They are cheap apps but really make short work of regex's.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I actually tried it. After using it on 23 and 100 it worked fine. However on 21 it choked and couldn't locate the field.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
