Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Looking for a regex that extract key=values from same line

YagneshShah1
New Member
‎11-10-2020 11:02 AM

Application log file display below at one of the line, looking for a regex that extract value of "0" / "1" / "2" or "3" in to a variables, which can be used later to draw a line chart

Splunk item Total: [ 0=233 ]

or

Splunk item Total: [ 1=220 ]

or

Splunk item Total: [ 1=220 3=40 ]

or

Splunk item Total: [ 0=50 1=210 3=30 ]

or

Splunk item Total: [ 0=100 1=205 2=10  3=5 ]

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎11-10-2020 04:07 PM

Try using extract command (works on field _raw). A runanywhere example is here:

 

| makeresults
| eval raw=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10  3=5 ]",",")
| mvexpand raw | rename raw as _raw 
| extract kvdelim="=" pairdelim=" " auto=t clean_keys=false
0 Karma
Reply

YagneshShah1
New Member
‎11-11-2020 07:49 AM

I cannot use any of this in extract

(Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ])

as I have mentioned it is not constant it changes, logs sometime display

Splunk item Total: [ 0=233 ]

or

Splunk item Total: [ 1=220 ]

or

Splunk item Total: [ 1=220 3=40 ]

or

Splunk item Total: [ 0=50 1=210 3=30 ]

or

Splunk item Total: [ 0=100 1=205 2=10 3=5 ]

Only think I am interested is if it had "0=" than like to extract that value if it display "1=" than like to extract that value if it display "0=" and "1=" than like to extract both value

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-10-2020 01:33 PM

Using your example data, run this query - is that what you wanted in the rex statement?

| makeresults
| eval fields=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10  3=5 ]",",")
| mvexpand fields
| table fields
| rex field=fields max_match=0 "(?<key>\d+)=(?<value>\d+)"
0 Karma
Reply

YagneshShah1
New Member
‎11-10-2020 03:03 PM

Sorry I confuse you, actually log is printing sometime this 

Splunk item Total: [ 0=233 ]

or sometime this 

Splunk item Total: [ 1=220 ]

and looking for a regex that capture in variable "zero" value 233 and in variable "one" value 220 than I will use variable "zero" and "one  to print line graph 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...