How to extract only one value in a regex search?

leandrodematosp · ‎06-02-2020

How do I get only the value that is before the ms?
Remember that this log is multiline, each statement is an event.

Ex: 13657, 5469, 6000

2020-06-02 18:01:04,331 INFO  ect-1-1rere872 25000 Execution Info
+[Job_ExtractICON].......................................................................13657 ms. Invocations 1
2020-06-02 17:48:40,449 INFO  ecp-2-14343527 25000 Execution Info
+[Job_ExtractICON].................................................................................5469 ms. Invocations 1
2020-06-02 17:45:27,697 INFO  ecj-1-16576 25000 Execution Info
+[Job_ExtractICON]...........................................................................6000 ms. Invocations 1

gcusello · ‎06-02-2020

Hi
you can try something like this:

| rex "(?ms)(?<time>\d+)\s+ms\."

that you can test at https://regex101.com/r/qjVfQW/1

Ciao.
Giuseppe

jscraig2006 · ‎06-02-2020

you can try \.{70}(?<num>\d+) if the periods are always 70 in count. or \.(?<num>\d+)\s+ms

How to extract only one value in a regex search?

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025

Are you a member of the Splunk Community?

How to extract only one value in a regex search?

September Community Champions: A Shoutout to Our Contributors!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

What’s New in Splunk Observability – September 2025