Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with writing Regex?

Ganees
New Member
‎08-26-2015 10:57 AM

Can someone please help me to write a regex to get the value "78" value from the below sample data?

Destination to Source positive jitter Number/Sum/Sum2: 76/78/80

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PGrantham
Path Finder
‎08-27-2015 06:52 AM

Try this 

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" | rex "Number/Sum/Sum2:\s+(?<Number>\d+)\/(?<Sum>\d+)\/(?<Sum2>\d+)" | timechart span=1min values(Sum) as Jitter-Sum | sort - _time | head 10

What should happen is the rex command creates the field "Number" and assigns it the value of whatever numbers it finds (hence the \d+) before the next forward slash. It does the same thing with Sum and Sum2.

Here's some good documentation on regex:
http://www.rexegg.com/regex-quickstart.html

Also a cool app you can use for practicing and testing your regex:
http://www.regexr.com/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PGrantham
Path Finder
‎08-27-2015 06:52 AM

Try this 

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" | rex "Number/Sum/Sum2:\s+(?<Number>\d+)\/(?<Sum>\d+)\/(?<Sum2>\d+)" | timechart span=1min values(Sum) as Jitter-Sum | sort - _time | head 10

What should happen is the rex command creates the field "Number" and assigns it the value of whatever numbers it finds (hence the \d+) before the next forward slash. It does the same thing with Sum and Sum2.

Here's some good documentation on regex:
http://www.rexegg.com/regex-quickstart.html

Also a cool app you can use for practicing and testing your regex:
http://www.regexr.com/

0 Karma
Reply
Solved! Jump to solution

danny2015
Engager
‎08-26-2015 12:42 PM

Something like - | rex "(?\d\d)/(?\d\d)/(?\d\d)".

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-26-2015 12:51 PM

You'll probably want some field names to use downstream

rex "(?<Number>\d\d)\/(?<Sum>\d\d)\/(?<Sum2>\d\d)"

Perhaps the editor stripped them from @Ganees' answer.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Ganees
New Member
‎08-27-2015 05:11 AM

Thanks for your help. Do you mean that I need to have the field extracted before doing the search?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2015 05:30 AM

The rex command will extract the fields for you. That is what the 

(?<x>*)

construct does.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Ganees
New Member
‎08-27-2015 06:03 AM

Every minute the file gets updated with new values as you can see below

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" This returns the below results

8/27/15 8:54:15.512 AM Destination to Source negative jitter Number/Sum/Sum2: 103/106/112
8/27/15 8:53:15.496 AM Destination to Source negative jitter Number/Sum/Sum2: 199/206/220
8/27/15 8:52:15.496 AM Destination to Source negative jitter Number/Sum/Sum2: 108/109/111

Now I want to make a timechart for Sum, so my search query is

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" | rex "(?\d\d)\/(?\d\d)\/(?\d\d)" | timechart span=1min values(Sum) as Jitter-Sum | sort - _time | head 10

And I see below results. The values I would expect to see would be 106,206,109
_time Jitter-Sum
2015-08-27 08:54:15

2015-08-27 08:53:15 75
2015-08-27 08:52:15 59

Any idea where I am making mistake?

0 Karma
Reply
Get Updates on the Splunk Community!

Now Playing: Splunk Education Summer Learning Premieres

It’s premiere season, and Splunk Education is rolling out new releases you won’t want to miss. Whether you’re ...

The Visibility Gap: Hybrid Networks and IT Services

The most forward thinking enterprises among us see their network as much more than infrastructure – it's their ...

Get Operational Insights Quickly with Natural Language on the Splunk Platform

In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
Top