Solved: How to Extract Any Values With a Decimal in my Rex...

Traer001 · ‎06-11-2021

Hello,

This may be an easy one, but I've been struggling with finding an answer for it.

I have events that look like this:

2021-06-11 17:22:13 Error at Position 1.1232 45.3285
2021-06-11 17:20:31 Error at Position -6.6351 32.3882
2021-06-11 17:19:14 Error at Position -21.1287 4.9063

The first number is an x coordinate and the second is a y coordinate. I am trying to extract these values with a regex string that look like this:

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>.\d+.\d+)\s(?<y_coord>.\d+.\d+)"

However, this won't allow me to get values with just a single number followed by a decimal (ie. 1.1232). If I get rid of the dot at the beginning of each then it won't get any of the negative signs.

How can I rewrite this rex string to get all of the values?

rupkumar4sec · ‎06-11-2021

Try this

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>[^\s]+)\s(?<y_coord>[^\s]+)"

View solution in original post

ITWhisperer · ‎06-11-2021

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>[\d\.\-]+)\s(?<y_coord>[\d\.\-]+)"

rupkumar4sec · ‎06-11-2021

Try this

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>[^\s]+)\s(?<y_coord>[^\s]+)"

How to Extract Any Values With a Decimal in my Rex String

field extraction

rex

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Are you a member of the Splunk Community?

How to Extract Any Values With a Decimal in my Rex String

field extraction

rex

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

Splunk Community Badges!

What You Read The Most: Splunk Lantern’s Most Popular Articles!