Splunk Search

How to create a rex for search?

super_virus
New Member

I have the below log line:
Slow GraphQL query [8447ms]

How can I grab only the value "8447"?

Tags (2)
0 Karma

cpetterborg
SplunkTrust
SplunkTrust

Search-time? Index-time? Are all the events similar? Is that the whole event?

If you just want a search-time rex way with the example data being the whole event:

... | rex "\[(?P<ms>\d+)ms\]"

If it isn't the entire event, then use the field=yourfieldname option to the rex command.

0 Karma

PowerPacked
Builder

Hi

Please find the following imagealt text

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...