Solved: Re: How to Extract Any Values With a Decimal in my...

Traer001 · ‎06-11-2021

Hello,

This may be an easy one, but I've been struggling with finding an answer for it.

I have events that look like this:

2021-06-11 17:22:13 Error at Position 1.1232 45.3285
2021-06-11 17:20:31 Error at Position -6.6351 32.3882
2021-06-11 17:19:14 Error at Position -21.1287 4.9063

The first number is an x coordinate and the second is a y coordinate. I am trying to extract these values with a regex string that look like this:

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>.\d+.\d+)\s(?<y_coord>.\d+.\d+)"

However, this won't allow me to get values with just a single number followed by a decimal (ie. 1.1232). If I get rid of the dot at the beginning of each then it won't get any of the negative signs.

How can I rewrite this rex string to get all of the values?

rupkumar4sec · ‎06-11-2021

Try this

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>[^\s]+)\s(?<y_coord>[^\s]+)"

View solution in original post

ITWhisperer · ‎06-11-2021

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>[\d\.\-]+)\s(?<y_coord>[\d\.\-]+)"

rupkumar4sec · ‎06-11-2021

Try this

| rex field=_raw "Error\sat\sPosition\s(?<x_coord>[^\s]+)\s(?<y_coord>[^\s]+)"

How to Extract Any Values With a Decimal in my Rex String

field extraction

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Telemetry Pipeline Management

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation