Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to build a regular expression that will capture multiple numbers in a field?

shivarpith
Path Finder
‎12-07-2016 07:42 AM

my log looks like below and i wanted to know if i could make a single regular expression to extract all xxx-xxx numbers

The following messages were logged on 12/07/16 at 07:52:10.

0420-094: blah blah blah destination.
0423-245: blah blah blah  changed.
0420-098: blah blah blah  job.
0424-138: blah blah blah.

so if Regex is Number then i would like to see

number 

0420-094
0423-245
0420-098
0424-138

or to better understand if i do a stats count by number

number         |     Count
0420-094       |       1
0423-245       |       1
0420-098       |       1
0424-138       |       1

i know i can do multiple regex's for each one and then coalesce to merge them all, but if there's a better way then why not 🙂

0 Karma
Reply

rjthibod
Champion
‎12-07-2016 08:43 AM

How about this?

your search ... | rex "(?<number>[^:]*)" | stats count as Count by number
0 Karma
Reply

shivarpith
Path Finder
‎12-08-2016 05:03 AM

Thank you for the response but the regex above will still pick the 1st number that came up in the log, i have a scenario where an event has 2-6 numbers like below but not limited to.
0420-094
0423-245
0420-098
0424-138

i want regex to parse all the values that match the regex, i was looking at MV_ADD option but not sure if that would work.

\n(?.*):

0 Karma
Reply

rjthibod
Champion
‎12-08-2016 10:09 AM

Sorry, I interpreted your original post to be different log messages.

Is your sourcetype already correctly differentiating your multiline log events? If not, that needs be cleaned up first.

0 Karma
Reply

rjthibod
Champion
‎12-08-2016 10:20 AM

If you are doing this at search time, then you would probably want the following in transforms.conf (you would reference the following transform in props.conf as well).

[MVNumber]
REGEX  = (\d+-\d+):
FORMAT = Number::$1
MV_ADD = true

And you would want to add the following to fields.conf

[Number]
TOKENIZER = (\d+-\d+):
INDEXED = false
INDEXED_VALUE = true
0 Karma
Reply

shivarpith
Path Finder
‎12-08-2016 01:35 PM

thank you, i will try it out and post the update. thanks a lot

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...