Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Looking for a regex that extract key=values from s...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Looking for a regex that extract key=values from same line
Application log file display below at one of the line, looking for a regex that extract value of "0" / "1" / "2" or "3" in to a variables, which can be used later to draw a line chart
Splunk item Total: [ 0=233 ]
or
Splunk item Total: [ 1=220 ]
or
Splunk item Total: [ 1=220 3=40 ]
or
Splunk item Total: [ 0=50 1=210 3=30 ]
or
Splunk item Total: [ 0=100 1=205 2=10 3=5 ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try using extract command (works on field _raw). A runanywhere example is here:
| makeresults
| eval raw=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ]",",")
| mvexpand raw | rename raw as _raw
| extract kvdelim="=" pairdelim=" " auto=t clean_keys=false- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I cannot use any of this in extract
(Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ])
as I have mentioned it is not constant it changes, logs sometime display
Splunk item Total: [ 0=233 ]
or
Splunk item Total: [ 1=220 ]
or
Splunk item Total: [ 1=220 3=40 ]
or
Splunk item Total: [ 0=50 1=210 3=30 ]
or
Splunk item Total: [ 0=100 1=205 2=10 3=5 ]
Only think I am interested is if it had "0=" than like to extract that value if it display "1=" than like to extract that value if it display "0=" and "1=" than like to extract both value
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using your example data, run this query - is that what you wanted in the rex statement?
| makeresults
| eval fields=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ]",",")
| mvexpand fields
| table fields
| rex field=fields max_match=0 "(?<key>\d+)=(?<value>\d+)"- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry I confuse you, actually log is printing sometime this
Splunk item Total: [ 0=233 ]
or sometime this
Splunk item Total: [ 1=220 ]
and looking for a regex that capture in variable "zero" value 233 and in variable "one" value 220 than I will use variable "zero" and "one to print line graph
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Splunk Community Badges!
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
