Splunk Search

In a field value that contains text, how can I display or extract just the numerical value within that text?

steveklinck
New Member

We have a "Message" field that always contains the same verbiage except for a numerical value. I only want the numerical value.
Example: "The system uptime is 999999 seconds." (The quotes are not part of the Message text.)

How can I display only the 999999?

Thanks

0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Try rex. This example extracts the digits into field 'uptime' which you can then use in other SPL commands.

... | rex field=Message "uptime is (?<uptime>\d+) seconds" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try rex. This example extracts the digits into field 'uptime' which you can then use in other SPL commands.

... | rex field=Message "uptime is (?<uptime>\d+) seconds" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma

steveklinck
New Member

Thanks to both of you for the extremely quick answer. Per richgalloway, I added | stats values(uptime)
and that gives me the desired result.

Thanks again to both of you.

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

@steveklinck - Please don't forget to click "Accept" under richgalloway's answer to close out your question. Thank you.

0 Karma

vasanthmss
Motivator

Populating the value using the below search,

|stats c |fields - c  | eval message="The system uptime is 999999 seconds." 

Use the below regular expression to get the numeric value

| rex field=message "uptime is (?<up_time>.\d+)"

Sample Search will be,

|stats c |fields - c  | eval message="The system uptime is 999999 seconds." | rex field=message "uptime is (?<up_time>.\d+)"

So you can try something like this,

your base search ... | rex field=message "uptime is (?<up_time>.\d+)"
V

steveklinck
New Member

thanks again to both of you

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...