Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with writing Regex?

Ganees
New Member
‎08-26-2015 10:57 AM

Can someone please help me to write a regex to get the value "78" value from the below sample data?

Destination to Source positive jitter Number/Sum/Sum2: 76/78/80

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PGrantham
Path Finder
‎08-27-2015 06:52 AM

Try this 

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" | rex "Number/Sum/Sum2:\s+(?<Number>\d+)\/(?<Sum>\d+)\/(?<Sum2>\d+)" | timechart span=1min values(Sum) as Jitter-Sum | sort - _time | head 10

What should happen is the rex command creates the field "Number" and assigns it the value of whatever numbers it finds (hence the \d+) before the next forward slash. It does the same thing with Sum and Sum2.

Here's some good documentation on regex:
http://www.rexegg.com/regex-quickstart.html

Also a cool app you can use for practicing and testing your regex:
http://www.regexr.com/

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PGrantham
Path Finder
‎08-27-2015 06:52 AM

Try this 

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" | rex "Number/Sum/Sum2:\s+(?<Number>\d+)\/(?<Sum>\d+)\/(?<Sum2>\d+)" | timechart span=1min values(Sum) as Jitter-Sum | sort - _time | head 10

What should happen is the rex command creates the field "Number" and assigns it the value of whatever numbers it finds (hence the \d+) before the next forward slash. It does the same thing with Sum and Sum2.

Here's some good documentation on regex:
http://www.rexegg.com/regex-quickstart.html

Also a cool app you can use for practicing and testing your regex:
http://www.regexr.com/

0 Karma
Reply
Solved! Jump to solution

danny2015
Engager
‎08-26-2015 12:42 PM

Something like - | rex "(?\d\d)/(?\d\d)/(?\d\d)".

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-26-2015 12:51 PM

You'll probably want some field names to use downstream

rex "(?<Number>\d\d)\/(?<Sum>\d\d)\/(?<Sum2>\d\d)"

Perhaps the editor stripped them from @Ganees' answer.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

Ganees
New Member
‎08-27-2015 05:11 AM

Thanks for your help. Do you mean that I need to have the field extracted before doing the search?

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-27-2015 05:30 AM

The rex command will extract the fields for you. That is what the 

(?<x>*)

construct does.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

Ganees
New Member
‎08-27-2015 06:03 AM

Every minute the file gets updated with new values as you can see below

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" This returns the below results

8/27/15 8:54:15.512 AM Destination to Source negative jitter Number/Sum/Sum2: 103/106/112
8/27/15 8:53:15.496 AM Destination to Source negative jitter Number/Sum/Sum2: 199/206/220
8/27/15 8:52:15.496 AM Destination to Source negative jitter Number/Sum/Sum2: 108/109/111

Now I want to make a timechart for Sum, so my search query is

index="new_tor" "Destination to Source negative jitter Number/Sum/Sum2" | rex "(?\d\d)\/(?\d\d)\/(?\d\d)" | timechart span=1min values(Sum) as Jitter-Sum | sort - _time | head 10

And I see below results. The values I would expect to see would be 106,206,109
_time Jitter-Sum
2015-08-27 08:54:15

2015-08-27 08:53:15 75
2015-08-27 08:52:15 59

Any idea where I am making mistake?

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...