Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Pulling Last Integer Value from Unlabeled Field

ctallarico20
Path Finder
‎05-20-2014 05:35 AM

Hi, this is a 3-line sample of my data: What I'm trying to do is get ahold of the last two fields (524288000 and 188077720 in line 1) so I can plot their trends in a graph. How would I go about doing this? I've looked into extract(kv) and kvform and have some limited experience in rex fields, but I'm pretty new to this so any help would be appreciated. Thank you!

34 Mon May 19 13:00:09 EDT 2014 271764960 1 PS MarkSweep 0 0.0 0 0.0 524288000 524288000 524288000 188077720
34 Mon May 19 13:00:09 EDT 2014 271764990 2 PS MarkSweep 0 0.0 0 0.0 521666560 524288000 521666560 186098608
34 Mon May 19 13:00:09 EDT 2014 271764995 3 PS MarkSweep 0 0.0 0 0.0 523763712 524288000 523763712 147496952

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎05-20-2014 06:08 AM

You should use rex.

your search that produced this output | rex "(?P<firstnumber>\d+)\s+(?P<secondnumber>\d+)$"

The above search should create two new fields called firstnumber and secondnumber.
Edited to include a closing quote.

View solution in original post

Reply
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎05-20-2014 06:08 AM

You should use rex.

your search that produced this output | rex "(?P<firstnumber>\d+)\s+(?P<secondnumber>\d+)$"

The above search should create two new fields called firstnumber and secondnumber.
Edited to include a closing quote.

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎05-20-2014 07:36 AM

The $ means "the end of the line", so in this case it give regex an anchor - it tells regex to basically look backwards from the end of the line. The ^ is the symbol for the beginning of the line.

Reply
Solved! Jump to solution

ctallarico20
Path Finder
‎05-20-2014 07:33 AM

Yeah, you guys were right! If you don't mind me asking, what does the $ command do? I'd love to understand a little how these results are being found

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎05-20-2014 06:59 AM

Did you miss the "$" sign from the regex?

Reply
Solved! Jump to solution

lukejadamec
Super Champion
‎05-20-2014 06:57 AM

I think you forgot the $ at the end.

rex "(?P<firstnumber>\d+)\s+(?P<secondnumber>\d+)\s+(?P<thirdnumber>\d+)\s+(?P<fourthnumber>\d+)\s+(?P<fifthnumber>\d+)$"

Reply
Solved! Jump to solution

ctallarico20
Path Finder
‎05-20-2014 06:52 AM

Thanks for the help!
I tried using the rex command
rex "(?P<firstnumber>\d+)\s+(?P<secondnumber>\d+)\s+(?P<thirdnumber>\d+)\s+(?P<fourthnumber>\d+)\s+(?P<fifthnumber>\d+)"
On this search, but I'm getting some weird behavior. In the above example, firstnumber is 19 (as in May 19), secondnumber is 13 (the hour), thirdnumber is 1, 2, or 3 for the respective line, fourthnumber is 524288000, 521666560, 523763712, and fifthnumber is 188077720, 186098608,147496952. As you can see, I'm getting the 4th-to-last as fourthnumber and then skipping to the last for fifthnumber, do you know why?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...