Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract only one value in a regex search?

leandrodematosp
New Member
‎06-02-2020 11:12 AM

How do I get only the value that is before the ms?
Remember that this log is multiline, each statement is an event.

Ex: 13657, 5469, 6000

2020-06-02 18:01:04,331 INFO  ect-1-1rere872 25000 Execution Info
+[Job_ExtractICON].......................................................................13657 ms. Invocations 1
2020-06-02 17:48:40,449 INFO  ecp-2-14343527 25000 Execution Info
+[Job_ExtractICON].................................................................................5469 ms. Invocations 1
2020-06-02 17:45:27,697 INFO  ecj-1-16576 25000 Execution Info
+[Job_ExtractICON]...........................................................................6000 ms. Invocations 1
0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎06-02-2020 11:41 PM

Hi
you can try something like this:

| rex "(?ms)(?<time>\d+)\s+ms\."

that you can test at https://regex101.com/r/qjVfQW/1

Ciao.
Giuseppe

0 Karma
Reply

jscraig2006
Communicator
‎06-02-2020 01:41 PM

you can try \.{70}(?<num>\d+) if the periods are always 70 in count. or \.(?<num>\d+)\s+ms

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...