Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I extract a number from the raw message

JeffCr
Explorer
‎08-04-2016 07:49 AM

How do I extract the following which always occurs as the last part of the raw text in message e.g "Took 13983.1468ms."
I want only the number and to capture timestamp and hostname. The total message length and structure might vary slightly but the ending is the same.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2016 07:54 AM

I'd use rex.

index=foo | rex "Took (?<num>\d+\.?\d+)ms" | ...

If you need help extracting timestamp and hostname, please show some sample data.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

twinspop
Influencer
‎08-04-2016 08:31 AM 
| rex "Took (?P<dur>\d+\.?\d*)ms"

Will put the value into dur

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2016 07:54 AM

I'd use rex.

index=foo | rex "Took (?<num>\d+\.?\d+)ms" | ...

If you need help extracting timestamp and hostname, please show some sample data.

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

twinspop
Influencer
‎08-04-2016 08:28 AM

I think that regex is going to surprise in some situations. You are requiring that there be 2 digits. 1 or more digits, followed by optional decimal, followed by 1 or more digits.

0 Karma
Reply
Solved! Jump to solution

JeffCr
Explorer
‎08-04-2016 08:30 AM

There will always be at least x.x

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎08-04-2016 08:13 AM

To alert on certain values, schedule a search for those values.

index=foo | rex "Took (?<num>\d+\.?\d+)ms" | where num > someThreshold | table _time hostname num

Have the search trigger an alert if the number of results is not zero.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

JeffCr
Explorer
‎08-04-2016 08:26 AM

Many thanks for the answer!

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎08-04-2016 07:52 AM

You would use a regular expression..

Try this

| rex (?P<Time>(?<=Took\s)\d+(?=ms))

Reply
Solved! Jump to solution

twinspop
Influencer
‎08-04-2016 08:29 AM

This doesn't allow for decimals.

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎08-04-2016 08:53 AM

Sorry about that, try this

| rex (?P<Time>(?<=Took\s)\d+\.\d+(?=ms))

0 Karma
Reply
Solved! Jump to solution

JeffCr
Explorer
‎08-04-2016 08:09 AM

Whats the easiest way to search the result set and then alert on a threshold value(s). Do I need to pass this into a command to build a table first?

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎08-04-2016 08:54 AM

No you don't need to do that, you can add a | where clause such as

... | where Time > 2

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...