Solved: Help with writing Regex?

Ganees · ‎08-26-2015

Can someone please help me to write a regex to get the value "78" value from the below sample data?

Destination to Source positive jitter Number/Sum/Sum2: 76/78/80

PGrantham · ‎08-27-2015

Try this

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" | rex "Number/Sum/Sum2:\s+(?<Number>\d+)\/(?<Sum>\d+)\/(?<Sum2>\d+)" | timechart span=1min values(Sum) as Jitter-Sum | sort - _time | head 10

What should happen is the rex command creates the field "Number" and assigns it the value of whatever numbers it finds (hence the \d+) before the next forward slash. It does the same thing with Sum and Sum2.

Here's some good documentation on regex:
http://www.rexegg.com/regex-quickstart.html

Also a cool app you can use for practicing and testing your regex:
http://www.regexr.com/

View solution in original post

PGrantham · ‎08-27-2015

Try this

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" | rex "Number/Sum/Sum2:\s+(?<Number>\d+)\/(?<Sum>\d+)\/(?<Sum2>\d+)" | timechart span=1min values(Sum) as Jitter-Sum | sort - _time | head 10

What should happen is the rex command creates the field "Number" and assigns it the value of whatever numbers it finds (hence the \d+) before the next forward slash. It does the same thing with Sum and Sum2.

Here's some good documentation on regex:
http://www.rexegg.com/regex-quickstart.html

Also a cool app you can use for practicing and testing your regex:
http://www.regexr.com/

danny2015 · ‎08-26-2015

Something like - | rex "(?\d\d)/(?\d\d)/(?\d\d)".

richgalloway · ‎08-26-2015

You'll probably want some field names to use downstream

rex "(?<Number>\d\d)\/(?<Sum>\d\d)\/(?<Sum2>\d\d)"

Perhaps the editor stripped them from @Ganees' answer.

---
If this reply helps you, Karma would be appreciated.

Ganees · ‎08-27-2015

Thanks for your help. Do you mean that I need to have the field extracted before doing the search?

richgalloway · ‎08-27-2015

The rex command will extract the fields for you. That is what the

(?<x>*)

construct does.

---
If this reply helps you, Karma would be appreciated.

Ganees · ‎08-27-2015

Every minute the file gets updated with new values as you can see below

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" This returns the below results

8/27/15 8:54:15.512 AM Destination to Source negative jitter Number/Sum/Sum2: 103/106/112
8/27/15 8:53:15.496 AM Destination to Source negative jitter Number/Sum/Sum2: 199/206/220
8/27/15 8:52:15.496 AM Destination to Source negative jitter Number/Sum/Sum2: 108/109/111

Now I want to make a timechart for Sum, so my search query is

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" | rex "(?\d\d)\/(?\d\d)\/(?\d\d)" | timechart span=1min values(Sum) as Jitter-Sum | sort - _time | head 10

And I see below results. The values I would expect to see would be 106,206,109
_time Jitter-Sum
2015-08-27 08:54:15

2015-08-27 08:53:15 75
2015-08-27 08:52:15 59

Any idea where I am making mistake?

Help with writing Regex?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life