Solved: How to get ptime from below string

Veeruswathi · ‎04-29-2019

Hi ,

Below is my field "rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,ptime:20" I would like to get ptime from this , which is 20 . But sometimes i have the field coming as maxptime instead of ptime

Please help

Thanks,
Swathi

vnravikumar · ‎04-29-2019

Hi

Give a try

| makeresults 
| eval msg="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,maxptime:20" 
| makemv delim="," msg 
| rex field=msg "(ptime:|maxptime:)(?P<ptime>\d+)"

View solution in original post

jason_prondak · ‎04-29-2019

Why not just use extract?

| makeresults 
| eval _raw="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,maxptime:20,ptime:20" 
| extract pairdelim=",", kvdelim=":" mv_add=t

Veeruswathi · ‎04-29-2019

This is the below error : 'ptime:(?\w+)': Regex: unrecognized character after (? or (?-

vnravikumar · ‎04-29-2019

Hi

Give a try

| makeresults 
| eval msg="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,maxptime:20" 
| makemv delim="," msg 
| rex field=msg "(ptime:|maxptime:)(?P<ptime>\d+)"

Veeruswathi · ‎04-29-2019

Awesome!!

vishaltaneja070 · ‎04-29-2019

@veeruswathi

try this:
| makeresults | eval test="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,ptime:20" | rex field=test "ptime:(?\w+)"

How to get ptime from below string

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation