Solved: How to Extract Any Values With a Decimal in my Rex...

Traer001 · ‎06-11-2021

Hello,

This may be an easy one, but I've been struggling with finding an answer for it.

I have events that look like this:

2021-06-11 17:22:13 Error at Position 1.1232 45.3285
2021-06-11 17:20:31 Error at Position -6.6351 32.3882
2021-06-11 17:19:14 Error at Position -21.1287 4.9063

The first number is an x coordinate and the second is a y coordinate. I am trying to extract these values with a regex string that look like this:

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>.\d+.\d+)\s(?<y_coord>.\d+.\d+)"

However, this won't allow me to get values with just a single number followed by a decimal (ie. 1.1232). If I get rid of the dot at the beginning of each then it won't get any of the negative signs.

How can I rewrite this rex string to get all of the values?

rupkumar4sec · ‎06-11-2021

Try this

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>[^\s]+)\s(?<y_coord>[^\s]+)"

View solution in original post

ITWhisperer · ‎06-11-2021

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>[\d\.\-]+)\s(?<y_coord>[\d\.\-]+)"

rupkumar4sec · ‎06-11-2021

Try this

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>[^\s]+)\s(?<y_coord>[^\s]+)"

How to Extract Any Values With a Decimal in my Rex String

field extraction

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

Join the Conversation