- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I use rex to extract fields from my sample ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How do I use rex to extract fields from my sample data and get the count?
I want to extract fields.
This is the log:
country=us,name = [peter, susan, jack],city=nyc
When I do this:
| table name
The result is:
[peter
How do I use rex to extract names and get the count of name, which the output should be 3.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi melodyqu2015,
based on the provided examples you can use this rex to get the fields:
your search here to get the results
| rex field=name max_match=0 "[\[\s](?<name>\w+)[,\]]"
| stats count(name) AS count
The result for the example will be count=3 as you can see in this run everywhere search (the first line is just needed to build the dummy event):
| gentimes start=-1 | eval foo=" country=us,name = [peter, susan, jack],city=nyc"
| rex field=foo max_match=0 "[\[\s](?<name>\w+)[,\]]"
| stats count(name) AS count
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, thank you! I tried, but it didn't work.
I tried to search the following one and want to see if I extract correctly. I want the result has three names and then I can use "split" and "count" to get the final result. But I got stuck when extract and get null result here.
| rex field=_raw ".*name=\[(?.*)\]+, city=" | table name
Do you know how can I fix this?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Why not using the regex I provided to you? Yours will not match and does not work, because it contains an invalid group structure and an unmatched parenthesis.
You can test your regex at www.regex101.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your code works, but it didn't work for this log:
Amount = null,Id = sdf23sdfwieu-wejsidvuoiwue-2082rd,title = [aaa:titlebase:title#123123-2323-23223-2323-2323dfwe, aaa:titlebase:title#sdsdf-45453-dfgs-565-fgfg, aaa:titlebase:title#12dfwwe-df4f-345-8978-feferf],number = sdfi3i4rhjf-wekhsdifuh43-sdfoiueh,Uri = 3rjhoe8fu9-rhwufhwef-34piruheruf
And if I do
my search |table title
the result is just:
[aaa:titlebase:title#123123-2323-23223-2323-2323dfwe
How can I get count of title, for this case, the result should be 3.
Thanks!
New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...
Improve Data Pipelines Using Splunk Data Management
3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?
