Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to get 2 values out of a string using rex command

rilee
Explorer
‎06-30-2021 07:51 AM

I have the following sample data returned that I'd like to extract 2 fields out of it: 1) The value after the "T "  and before the "EmployeeController.Post -" will be the first field <tsid>.   2) Between the "EmployeeController.Post - " and " - End" will be the second field <duration>.  

06/30/21 09:39:21.39 p17872 [00226] T ELBJsZX6wk68nXrUKKEd4g EmployeeController.Post - 00:00:00:538 - End
 
Your help is highly appreciated.
 

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎06-30-2021 11:05 AM

This is very straightforward so I'm interested in seeing what you've tried and help determine why it didn't work.

At search time, this can be done with two separate regexes:

| rex "] T (?<tsid>\S+)"
| rex "EmployeeController.Post - (?<duration>\S+)"

or with a single regex:

| rex "] T (?<tsid>\S+) EmployeeController.Post - (?<duration>\S+)"

At index-time, use the latter regex.

---
If this reply helps you, Karma would be appreciated.
Reply

rilee
Explorer
‎06-30-2021 11:18 AM

In my base index search, I added  "EmployeeController.Post" "- End" filter values to return only the lines I need.

Then I used 

| rex field=_raw "\s+T+\s(?<txid>.*?)\s+EmployeeController\\.Post\s\\-\s(?<duration>.*?)\s\\-\s+End"

|table txid duration

That did work and I have solved my issue just an hour ago! 

But yours looks much neater.  Thank you so much for your reply.  I appreciate it.  Practice makes perfection and I shall get better sooner than later.

Tags (1)
0 Karma
Reply

rilee
Explorer
‎06-30-2021 11:20 AM

Sorry, tsid and txid are the same I am referring to. ^_^ I will refine my syntax to use your line. Thanks again 

0 Karma
Reply
Get Updates on the Splunk Community!

Cultivate Your Career Growth with Fresh Splunk Training

Growth doesn’t just happen—it’s nurtured. Like tending a garden, developing your Splunk skills takes the right ...

Introducing a Smarter Way to Discover Apps on Splunkbase

We’re excited to announce the launch of a foundational enhancement to Splunkbase: App Tiering.  Because we’ve ...

How to Send Splunk Observability Alerts to Webex teams in Minutes

As a Developer Evangelist at Splunk, my team and I are constantly tinkering with technology to explore its ...
Top