Splunk Search

Is it possible to use a single rex command to deal with multiple scenarios?

andrewtrobec
Motivator

Hello All,

I am trying to write a single rex command that will handle a number of different field entires. Basically I have an effort being stored (painfully) in hours and minutes, but the values for the field can vary. Here is an example of the possibilities:

Case|Effort
1|30 minutes
2|1 hour
3|1 hour 30 minutes
4|2 hours
5|2 hours 30 minutes

What I'd like to do is write a single rex that extracts the hour and minute values when they are available. So far I've written one that handles cases 3 and 5:

rex field=Effort "(?<hours>\d+)\s\w+\s(?<mins>\d+)\s\w+"

What I can't get are cases 1 2 and 4. I mean, I can rewrite the rex to only get those cases, but I don't know how to combine them...

Do you have any pointers on how to do this?

Thank you and best regards,

Andrew

Tags (1)
0 Karma
1 Solution

cpetterborg
SplunkTrust
SplunkTrust

Yes:

((?<hours>\d+)\shours?\s)?((?<mins>\d+)\sminutes?)?

You basically just have to make things rather explicit and optional.

View solution in original post

cpetterborg
SplunkTrust
SplunkTrust

Yes:

((?<hours>\d+)\shours?\s)?((?<mins>\d+)\sminutes?)?

You basically just have to make things rather explicit and optional.

andrewtrobec
Motivator

Perfect! Thank you so much, I was almost there...

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...