Splunk Search
Highlighted

How come the rex command is not working like normal regex?

Engager

Given a string:

(path=/myPath/123/endpoint,method=GET,accept=text/plain;version=0.0.4;q=1,*/*;q=0.1,content-type=null,accept-encoding=gzip,totalTime=127),

I want to retrieve the value for "path" and "totalTime" to create a visualization.

The rex...

rex field=log "path=(?< endpoint>\/\w+),totalTime=(?< milliseconds>\d+)"

...doesn't produce any results. I've tried several variations. Can anyone help with this rex?

It doesn't produce any results.

0 Karma
Highlighted

Re: How come the rex command is not working like normal regex?

SplunkTrust
SplunkTrust

@jmorri6

Try

path=(?<endpoint>[\/\w\d]+).+totalTime=(?<milliseconds>\d+)

View solution in original post

Highlighted

Re: How come the rex command is not working like normal regex?

Explorer

rex "path=(?P< endPoint>.*?)," | rex "totalTime=(?P< milliseconds>\d+)"

add these rex to your query to get the results.

0 Karma