Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get ptime from below string
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Veeruswathi
Explorer
04-29-2019
12:34 AM
Hi ,
Below is my field "rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,ptime:20" I would like to get ptime from this , which is 20 . But sometimes i have the field coming as maxptime instead of ptime
Please help
Thanks,
Swathi
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
04-29-2019
12:53 AM
Hi
Give a try
| makeresults
| eval msg="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,maxptime:20"
| makemv delim="," msg
| rex field=msg "(ptime:|maxptime:)(?P<ptime>\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jason_prondak
Explorer
04-29-2019
09:11 AM
Why not just use extract?
| makeresults
| eval _raw="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,maxptime:20,ptime:20"
| extract pairdelim=",", kvdelim=":" mv_add=t
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Veeruswathi
Explorer
04-29-2019
12:54 AM
This is the below error : 'ptime:(?\w+)': Regex: unrecognized character after (? or (?-
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vnravikumar
Champion
04-29-2019
12:53 AM
Hi
Give a try
| makeresults
| eval msg="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,maxptime:20"
| makemv delim="," msg
| rex field=msg "(ptime:|maxptime:)(?P<ptime>\d+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Veeruswathi
Explorer
04-29-2019
12:59 AM
Awesome!!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
vishaltaneja070
Motivator
04-29-2019
12:44 AM
@veeruswathi
try this:
| makeresults | eval test="rtpmap:8 PCMA/8000,rtpmap:101 telephone-event/8000,ptime:20" | rex field=test "ptime:(?
Get Updates on the Splunk Community!
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...
Transform your security operations with Splunk Enterprise Security
Hi Splunk Community,
Splunk Platform has set a great foundation for your security operations. With the ...
Splunk Admins and App Developers | Earn a $35 gift card!
Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...
