Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Looking for a regex that extract key=values from same line

YagneshShah1
New Member
‎11-10-2020 11:02 AM

Application log file display below at one of the line, looking for a regex that extract value of "0" / "1" / "2" or "3" in to a variables, which can be used later to draw a line chart

Splunk item Total: [ 0=233 ]

or

Splunk item Total: [ 1=220 ]

or

Splunk item Total: [ 1=220 3=40 ]

or

Splunk item Total: [ 0=50 1=210 3=30 ]

or

Splunk item Total: [ 0=100 1=205 2=10  3=5 ]

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎11-10-2020 04:07 PM

Try using extract command (works on field _raw). A runanywhere example is here:

 

| makeresults
| eval raw=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10  3=5 ]",",")
| mvexpand raw | rename raw as _raw 
| extract kvdelim="=" pairdelim=" " auto=t clean_keys=false
0 Karma
Reply

YagneshShah1
New Member
‎11-11-2020 07:49 AM

I cannot use any of this in extract

(Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ])

as I have mentioned it is not constant it changes, logs sometime display

Splunk item Total: [ 0=233 ]

or

Splunk item Total: [ 1=220 ]

or

Splunk item Total: [ 1=220 3=40 ]

or

Splunk item Total: [ 0=50 1=210 3=30 ]

or

Splunk item Total: [ 0=100 1=205 2=10 3=5 ]

Only think I am interested is if it had "0=" than like to extract that value if it display "1=" than like to extract that value if it display "0=" and "1=" than like to extract both value

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-10-2020 01:33 PM

Using your example data, run this query - is that what you wanted in the rex statement?

| makeresults
| eval fields=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10  3=5 ]",",")
| mvexpand fields
| table fields
| rex field=fields max_match=0 "(?<key>\d+)=(?<value>\d+)"
0 Karma
Reply

YagneshShah1
New Member
‎11-10-2020 03:03 PM

Sorry I confuse you, actually log is printing sometime this 

Splunk item Total: [ 0=233 ]

or sometime this 

Splunk item Total: [ 1=220 ]

and looking for a regex that capture in variable "zero" value 233 and in variable "one" value 220 than I will use variable "zero" and "one  to print line graph 

0 Karma
Reply
Get Updates on the Splunk Community!

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...

Using Machine Learning for Hunting Security Threats

WATCH NOW Seeing the exponential hike in global cyber threat spectrum, organizations are now striving more for ...

Observability Newsletter Highlights | March 2023

 March 2023 | Check out the latest and greatestSplunk APM's New Tag Filter ExperienceSplunk APM has updated ...