Hey everyone, I am trying to get a rex written that will suck out a few key items from data that I'm taking into splunk. Here's an example of the lines from the event that I'm interested in:
Key: User License - 23 out of 100 used Key: Group License - 21 out of 2147483647 used Key: maxTrunkGroupCallCapacity - 0 out of 50 used
Now, the numbers I'm interested in getting out of each of these lines are the User license count, the group license count, and the trunk call capacity, as well as the purchased license count. What I think makes this difficult is that the numbers aren't zero padded, which in posix regex makes it harder. The numbers can change depending on what each server's license allows for. I'm still learning PCRE. Could anyone give me a hand writing a rex to grab these values?
Have you tried using the Interactive Field Extractor?
Maybe look Here.
This is a great tool, especially for us who are hesitant in out abilities with regex.
Zero padding should not matter, you will probably be using "\d" for digits, and just throwing on a + will give you "one or more times", thus,
means 1 or more digits. For example it would match 0, 02312300123, or 23.
Either way, starting with the IFE to give you a good guess at the regex and then all that matters is making sure you understand what Splunk is saying with the regex it generates and editing it if you notice and errors.