Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Looking for a regex that extract key=values from s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking for a regex that extract key=values from same line
Application log file display below at one of the line, looking for a regex that extract value of "0" / "1" / "2" or "3" in to a variables, which can be used later to draw a line chart
Splunk item Total: [ 0=233 ]
or
Splunk item Total: [ 1=220 ]
or
Splunk item Total: [ 1=220 3=40 ]
or
Splunk item Total: [ 0=50 1=210 3=30 ]
or
Splunk item Total: [ 0=100 1=205 2=10 3=5 ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using extract command (works on field _raw). A runanywhere example is here:
| makeresults
| eval raw=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ]",",")
| mvexpand raw | rename raw as _raw
| extract kvdelim="=" pairdelim=" " auto=t clean_keys=false- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot use any of this in extract
(Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ])
as I have mentioned it is not constant it changes, logs sometime display
Splunk item Total: [ 0=233 ]
or
Splunk item Total: [ 1=220 ]
or
Splunk item Total: [ 1=220 3=40 ]
or
Splunk item Total: [ 0=50 1=210 3=30 ]
or
Splunk item Total: [ 0=100 1=205 2=10 3=5 ]
Only think I am interested is if it had "0=" than like to extract that value if it display "1=" than like to extract that value if it display "0=" and "1=" than like to extract both value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using your example data, run this query - is that what you wanted in the rex statement?
| makeresults
| eval fields=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ]",",")
| mvexpand fields
| table fields
| rex field=fields max_match=0 "(?<key>\d+)=(?<value>\d+)"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I confuse you, actually log is printing sometime this
Splunk item Total: [ 0=233 ]
or sometime this
Splunk item Total: [ 1=220 ]
and looking for a regex that capture in variable "zero" value 233 and in variable "one" value 220 than I will use variable "zero" and "one to print line graph
AI for AppInspect
App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community
Operationalizing Entity Risk Score with Enterprise Security 8.3+
