Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In a field value that contains text, how can I display or extract just the numerical value within that text?

steveklinck
New Member
‎04-24-2017 09:43 AM

We have a "Message" field that always contains the same verbiage except for a numerical value. I only want the numerical value.
Example: "The system uptime is 999999 seconds." (The quotes are not part of the Message text.)

How can I display only the 999999?

Thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2017 10:21 AM

Try rex. This example extracts the digits into field 'uptime' which you can then use in other SPL commands.

... | rex field=Message "uptime is (?<uptime>\d+) seconds" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎04-24-2017 10:21 AM

Try rex. This example extracts the digits into field 'uptime' which you can then use in other SPL commands.

... | rex field=Message "uptime is (?<uptime>\d+) seconds" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

steveklinck
New Member
‎04-24-2017 10:31 AM

Thanks to both of you for the extremely quick answer. Per richgalloway, I added | stats values(uptime)
and that gives me the desired result.

Thanks again to both of you.

0 Karma
Reply
Solved! Jump to solution

aaraneta_splunk
Splunk Employee
Splunk Employee
‎04-24-2017 10:41 AM

@steveklinck - Please don't forget to click "Accept" under richgalloway's answer to close out your question. Thank you.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎04-24-2017 10:17 AM

Populating the value using the below search, 

|stats c |fields - c  | eval message="The system uptime is 999999 seconds."

Use the below regular expression to get the numeric value 

| rex field=message "uptime is (?<up_time>.\d+)"

Sample Search will be, 

|stats c |fields - c  | eval message="The system uptime is 999999 seconds." | rex field=message "uptime is (?<up_time>.\d+)"

So you can try something like this, 

your base search ... | rex field=message "uptime is (?<up_time>.\d+)"
V
Reply
Solved! Jump to solution

steveklinck
New Member
‎04-24-2017 11:01 AM

thanks again to both of you

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...