Solved: How to extract a numeric field with rex, then run ...

sheltomt · ‎10-16-2015

Hello,

I'm trying to extract a field, and then run a timechart with the max value over 5 minutes.

My extraction is strictly the tail integer of this string:

<server2name-loc-l1p.domain.com@10.10.10.10#sessions=568>

Best looking solution I found so far is:

| rex field=_raw ".*#sessions +(?<number>[0-9]+)" |timechart span="5m" max(number)

But it does nothing.

sheltomt · ‎10-16-2015

We solved it by going a whole different direction. I was fooling with a super long string, but my co-worker came up with:

rex ".*=(?P\d+)\D"

We're good!

santiagoaloi · ‎10-16-2015

You can even use a shorter one:

| rex field=_raw ".*=(?\d+)"

sheltomt · ‎10-16-2015

We solved it by going a whole different direction. I was fooling with a super long string, but my co-worker came up with:

rex ".*=(?P\d+)\D"

We're good!

aljohnson_splun · ‎10-16-2015

What happens if you table out the number values first ? Is your extraction working?

| rex field=_raw ".*#sessions +(?<number>[0-9]+)"
| table number

How to extract a numeric field with rex, then run a timechart with the max value over 5 minutes?