Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to use rex command to extract value from the e...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jambraun
Explorer
09-22-2016
03:03 PM
I know this type of question has been asked many times before, but I haven't been able to get results from using REX. Time to ask an expert.
Here's a typical event from a search:
9/22/16
4:55:03.000 PM
2016-09-22 20:55:03+00:00 server.domain.com F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 = STRING: All devices in the device group are in sync
host = server
source = /data/snmp/team_metrics_f5/teamMetricsF5__2016-09-22__server.log
sourcetype =team_metrics_snmp
I want to capture the value after STRING: "; e.g "All devices in the device group are in sync. This won't always be the value of course.
Here's the search string I was toying with that yielded 0 results:
index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<\Sync_Status>\d+)$" | table Sync_Status
index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?"<\sync_status>\w+)$" | table Sync_Status
I couldn't figure out how to get the "<" to show up, so ignore the "\" in the field name
Thanks everyone!
--Jarred
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lquinn
Contributor
09-22-2016
04:15 PM
I think the structure of your query is fine - your regex just doesn't quite work. The first one you tried is looking for a string of digits, the second one a string of word characters. Neither of these look for spaces so if you are trying to capture a string which contains spaces you will need to add this into your regex as well. So you could use something like this ...
index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>[\w\s]+)$" | table Sync_Status
Alternatively, you could open your regex up further, in case other characters might appear in the string, by using .* like this ...
index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>.*)$" | table Sync_Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lquinn
Contributor
09-22-2016
04:15 PM
I think the structure of your query is fine - your regex just doesn't quite work. The first one you tried is looking for a string of digits, the second one a string of word characters. Neither of these look for spaces so if you are trying to capture a string which contains spaces you will need to add this into your regex as well. So you could use something like this ...
index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>[\w\s]+)$" | table Sync_Status
Alternatively, you could open your regex up further, in case other characters might appear in the string, by using .* like this ...
index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0 | rex "STRING: (?<Sync_Status>.*)$" | table Sync_Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jambraun
Explorer
09-22-2016
05:02 PM
Brilliant. Thank you! I'm still learning syntax. I know there are about 10 different ways to accomplish this but I particularly like the catch all *.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
MuS
Legend
09-22-2016
04:14 PM
Hi jambraun,
your regex either matches only number or any word character. So by changing it into this:
index=team_f5_metrics F5-BIGIP-SYSTEM-MIB::sysCmSyncStatusSummary.0
| rex "STRING: (?<Sync_Status>[^$]+?)$"
| table Sync_Status
you should be able to get everything after STRING until the end of line. Tested and working on regex101.com
Hope this helps ...
cheers, MuS
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
jambraun
Explorer
09-22-2016
05:03 PM
Works as well 🙂 Thank you for the example.
Get Updates on the Splunk Community!
Get Operational Insights Quickly with Natural Language on the Splunk Platform
In today’s fast-paced digital world, turning data into actionable insights is essential for success. With ...
What’s New in Splunk Observability Cloud – June 2025
What’s New in Splunk Observability Cloud – June 2025 We are excited to announce the latest enhancements to ...
Almost Too Eventful Assurance: Part 2
Work While You SleepBefore you can rely on any autonomous remediation measures, you need to close the loop ...
