Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get ptime from below string
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Veeruswathi
Explorer
04-29-2019
12:34 AM
Hi ,
Below is my field "rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,ptime:20" I would like to get ptime from this , which is 20 . But sometimes i have the field coming as maxptime instead of ptime
Please help
Thanks,
Swathi
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
04-29-2019
12:53 AM
Hi
Give a try
| makeresults
| eval msg="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,maxptime:20"
| makemv delim="," msg
| rex field=msg "(ptime:|maxptime:)(?P<ptime>\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jason_prondak
Explorer
04-29-2019
09:11 AM
Why not just use extract?
| makeresults
| eval _raw="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,maxptime:20,ptime:20"
| extract pairdelim=",", kvdelim=":" mv_add=t
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Veeruswathi
Explorer
04-29-2019
12:54 AM
This is the below error : 'ptime:(?\w+)': Regex: unrecognized character after (? or (?-
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
04-29-2019
12:53 AM
Hi
Give a try
| makeresults
| eval msg="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,maxptime:20"
| makemv delim="," msg
| rex field=msg "(ptime:|maxptime:)(?P<ptime>\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Veeruswathi
Explorer
04-29-2019
12:59 AM
Awesome!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishaltaneja070
Motivator
04-29-2019
12:44 AM
@veeruswathi
try this:
| makeresults | eval test="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,ptime:20" | rex field=test "ptime:(?
Get Updates on the Splunk Community!
Aligning Observability Costs with Business Value: Practical Strategies
Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...
Mastering Data Pipelines: Unlocking Value with Splunk
In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...
Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0
Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
