Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Looking for a regex that extract key=values from same line

YagneshShah1
New Member
‎11-10-2020 11:02 AM

Application log file display below at one of the line, looking for a regex that extract value of "0" / "1" / "2" or "3" in to a variables, which can be used later to draw a line chart

Splunk item Total: [ 0=233 ]

or

Splunk item Total: [ 1=220 ]

or

Splunk item Total: [ 1=220 3=40 ]

or

Splunk item Total: [ 0=50 1=210 3=30 ]

or

Splunk item Total: [ 0=100 1=205 2=10  3=5 ]

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎11-10-2020 04:07 PM

Try using extract command (works on field _raw). A runanywhere example is here:

 

| makeresults
| eval raw=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10  3=5 ]",",")
| mvexpand raw | rename raw as _raw 
| extract kvdelim="=" pairdelim=" " auto=t clean_keys=false
0 Karma
Reply

YagneshShah1
New Member
‎11-11-2020 07:49 AM

I cannot use any of this in extract

(Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ])

as I have mentioned it is not constant it changes, logs sometime display

Splunk item Total: [ 0=233 ]

or

Splunk item Total: [ 1=220 ]

or

Splunk item Total: [ 1=220 3=40 ]

or

Splunk item Total: [ 0=50 1=210 3=30 ]

or

Splunk item Total: [ 0=100 1=205 2=10 3=5 ]

Only think I am interested is if it had "0=" than like to extract that value if it display "1=" than like to extract that value if it display "0=" and "1=" than like to extract both value

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-10-2020 01:33 PM

Using your example data, run this query - is that what you wanted in the rex statement?

| makeresults
| eval fields=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10  3=5 ]",",")
| mvexpand fields
| table fields
| rex field=fields max_match=0 "(?<key>\d+)=(?<value>\d+)"
0 Karma
Reply

YagneshShah1
New Member
‎11-10-2020 03:03 PM

Sorry I confuse you, actually log is printing sometime this 

Splunk item Total: [ 0=233 ]

or sometime this 

Splunk item Total: [ 1=220 ]

and looking for a regex that capture in variable "zero" value 233 and in variable "one" value 220 than I will use variable "zero" and "one  to print line graph 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security(ES) 7.3 is approaching the end of support. Get ready for ...

Hi friends!    At Splunk, your product success is our top priority. With Enterprise Security (ES), we're here ...

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Watch On Demand the Tech Talk, and empower your SOC to reach new heights! Duration: 1 hour  Prepare to ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...