Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to build a regular expression that will capture multiple numbers in a field?

shivarpith
Path Finder
‎12-07-2016 07:42 AM

my log looks like below and i wanted to know if i could make a single regular expression to extract all xxx-xxx numbers

The following messages were logged on 12/07/16 at 07:52:10.

0420-094: blah blah blah destination.
0423-245: blah blah blah  changed.
0420-098: blah blah blah  job.
0424-138: blah blah blah.

so if Regex is Number then i would like to see

number 

0420-094
0423-245
0420-098
0424-138

or to better understand if i do a stats count by number

number         |     Count
0420-094       |       1
0423-245       |       1
0420-098       |       1
0424-138       |       1

i know i can do multiple regex's for each one and then coalesce to merge them all, but if there's a better way then why not 🙂

0 Karma
Reply

rjthibod
Champion
‎12-07-2016 08:43 AM

How about this?

your search ... | rex "(?<number>[^:]*)" | stats count as Count by number
0 Karma
Reply

shivarpith
Path Finder
‎12-08-2016 05:03 AM

Thank you for the response but the regex above will still pick the 1st number that came up in the log, i have a scenario where an event has 2-6 numbers like below but not limited to.
0420-094
0423-245
0420-098
0424-138

i want regex to parse all the values that match the regex, i was looking at MV_ADD option but not sure if that would work.

\n(?.*):

0 Karma
Reply

rjthibod
Champion
‎12-08-2016 10:09 AM

Sorry, I interpreted your original post to be different log messages.

Is your sourcetype already correctly differentiating your multiline log events? If not, that needs be cleaned up first.

0 Karma
Reply

rjthibod
Champion
‎12-08-2016 10:20 AM

If you are doing this at search time, then you would probably want the following in transforms.conf (you would reference the following transform in props.conf as well).

[MVNumber]
REGEX  = (\d+-\d+):
FORMAT = Number::$1
MV_ADD = true

And you would want to add the following to fields.conf

[Number]
TOKENIZER = (\d+-\d+):
INDEXED = false
INDEXED_VALUE = true
0 Karma
Reply

shivarpith
Path Finder
‎12-08-2016 01:35 PM

thank you, i will try it out and post the update. thanks a lot

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Unmerging HTML Tables

[Puzzles] Solve, Learn, Repeat: Unmerging HTML TablesFor a previous puzzle, I needed some sample data, and ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...