Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help to create a regular expression

Mrig342
Contributor
‎10-05-2021 05:38 AM

Hi All,

I am trying to create a regular expression to extract a value from a given log. Below is the log:

2021-10-05 07:25:42.986, DATUM2="3095", STATUS="2", REQUEST_TYPE="103", PRIORITY="300", OWNER="490070", COUNT(1)="2"

Here I want to extract value of "COUNT(1)" and created the regular expression (?ms)COUNT\(1\)\=\"(?P<COUNT(1)>\d+)\"

But with this expression I am not able to get the field name as "COUNT(1)" which is my requirement.

Please help modify my expression to get the desired output.

 

Thank you very much.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 05:50 AM 
| makeresults
| eval _raw="2021-10-05 07:25:42.986, DATUM2=\"3095\", STATUS=\"2\", REQUEST_TYPE=\"103\", PRIORITY=\"300\", OWNER=\"490070\", COUNT(1)=\"2\""
| rex "(?ms)COUNT\(1\)\=\"(?P<COUNT_1>\d+)\""
| rename COUNT_1 as "COUNT(1)"

View solution in original post

Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-05-2021 05:50 AM 
| makeresults
| eval _raw="2021-10-05 07:25:42.986, DATUM2=\"3095\", STATUS=\"2\", REQUEST_TYPE=\"103\", PRIORITY=\"300\", OWNER=\"490070\", COUNT(1)=\"2\""
| rex "(?ms)COUNT\(1\)\=\"(?P<COUNT_1>\d+)\""
| rename COUNT_1 as "COUNT(1)"
Reply
Solved! Jump to solution

Mrig342
Contributor
‎10-05-2021 05:55 AM

Thank you so much ITWhisperer..!!

Your solution is perfect for my requirement. I wonder why it didn't hit my mind.. Haha..

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎10-05-2021 05:46 AM

https://www.pcre.org/current/doc/html/pcre2pattern.html#SEC16https://www.regular-expressions.info/na...

In PCRE2, a capture group can be named in one of three ways: (?<name>...) or (?'name'...) as in Perl, or (?P<name>...) as in Python. Names may be up to 32 code units long. When PCRE2_UTF is not set, they may contain only ASCII alphanumeric characters and underscores, but must start with a non-digit. When PCRE2_UTF is set, the syntax of group names is extended to allow any Unicode letter or Unicode decimal digit. In other words, group names must match one of these patterns:

  ^[_A-Za-z][_A-Za-z0-9]*\z   when PCRE2_UTF is not set
  ^[_\p{L}][_\p{L}\p{Nd}]*\z  when PCRE2_UTF is set

 In other words, you can't directly capture as group named "count(1)". You might capture with another name and rename the field later.

Reply
Solved! Jump to solution

Mrig342
Contributor
‎10-05-2021 05:57 AM

Thank you very much PickleRick..!!

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...