Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to build a regular expression that will ca...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to build a regular expression that will capture multiple numbers in a field?
shivarpith
Path Finder
12-07-2016
07:42 AM
my log looks like below and i wanted to know if i could make a single regular expression to extract all xxx-xxx numbers
The following messages were logged on 12/07/16 at 07:52:10.
0420-094: blah blah blah destination.
0423-245: blah blah blah changed.
0420-098: blah blah blah job.
0424-138: blah blah blah.
so if Regex is Number then i would like to see
number
0420-094
0423-245
0420-098
0424-138
or to better understand if i do a stats count by number
number | Count
0420-094 | 1
0423-245 | 1
0420-098 | 1
0424-138 | 1
i know i can do multiple regex's for each one and then coalesce to merge them all, but if there's a better way then why not 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rjthibod
Champion
12-07-2016
08:43 AM
How about this?
your search ... | rex "(?<number>[^:]*)" | stats count as Count by number
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shivarpith
Path Finder
12-08-2016
05:03 AM
Thank you for the response but the regex above will still pick the 1st number that came up in the log, i have a scenario where an event has 2-6 numbers like below but not limited to.
0420-094
0423-245
0420-098
0424-138
i want regex to parse all the values that match the regex, i was looking at MV_ADD option but not sure if that would work.
\n(?.*):
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rjthibod
Champion
12-08-2016
10:09 AM
Sorry, I interpreted your original post to be different log messages.
Is your sourcetype already correctly differentiating your multiline log events? If not, that needs be cleaned up first.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
rjthibod
Champion
12-08-2016
10:20 AM
If you are doing this at search time, then you would probably want the following in transforms.conf (you would reference the following transform in props.conf as well).
[MVNumber]
REGEX = (\d+-\d+):
FORMAT = Number::$1
MV_ADD = true
And you would want to add the following to fields.conf
[Number]
TOKENIZER = (\d+-\d+):
INDEXED = false
INDEXED_VALUE = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
shivarpith
Path Finder
12-08-2016
01:35 PM
thank you, i will try it out and post the update. thanks a lot
Get Updates on the Splunk Community!
Exciting News: The AppDynamics Community Joins Splunk!
Hello Splunkers,
I’d like to introduce myself—I’m Ryan, the former AppDynamics Community Manager, and I’m ...
The All New Performance Insights for Splunk
Splunk gives you amazing tools to analyze system data and make business-critical decisions, react to issues, ...
Good Sourcetype Naming
When it comes to getting data in, one of the earliest decisions made is what to use as a sourcetype. Often, ...
