We have a "Message" field that always contains the same verbiage except for a numerical value. I only want the numerical value.
Example: "The system uptime is 999999 seconds." (The quotes are not part of the Message text.)
How can I display only the 999999?
Thanks
Try rex
. This example extracts the digits into field 'uptime' which you can then use in other SPL commands.
... | rex field=Message "uptime is (?<uptime>\d+) seconds" | ...
Try rex
. This example extracts the digits into field 'uptime' which you can then use in other SPL commands.
... | rex field=Message "uptime is (?<uptime>\d+) seconds" | ...
Thanks to both of you for the extremely quick answer. Per richgalloway, I added | stats values(uptime)
and that gives me the desired result.
Thanks again to both of you.
@steveklinck - Please don't forget to click "Accept" under richgalloway's answer to close out your question. Thank you.
Populating the value using the below search,
|stats c |fields - c | eval message="The system uptime is 999999 seconds."
Use the below regular expression to get the numeric value
| rex field=message "uptime is (?<up_time>.\d+)"
Sample Search will be,
|stats c |fields - c | eval message="The system uptime is 999999 seconds." | rex field=message "uptime is (?<up_time>.\d+)"
So you can try something like this,
your base search ... | rex field=message "uptime is (?<up_time>.\d+)"
thanks again to both of you