Solved: RegEx - Get integer behind string

lirumlarum · ‎04-21-2013

Hi guys,
I'm absolutely new to RegEx and I'm very fascinated how powerfull RegEx is.

I'm trying to get an integer value that is placed behind a specific string.
This string and the integer value may appear at several places in a logfile.

Here is an example of the file:

4/11/2013;4:22:00 PM;Server konnte nicht gestartet werden, falsche Server IP/Name

4/13/2013;2:26:31 PM;Server konnte nicht gestartet werden, falsche Server IP/Name

4/14/2013;2:01:01 AM;Backup Fehler: (db1)

4/14/2013;2:01:02 AM;

4/14/2013;2:01:03 AM;ErrorCode: 17

Server offline

Der Datenbankeserver reagiert nicht.

I've been playing around with PowerGREP and RegexMagic but I didn't create one single expression that is correct for Splunk ^^

All I want to create is a new field, with the ErrorCode integer to get an overview which errors occur how often.

Can someone help me with creating this expression?
Thank you in advance 🙂

kristian_kolb · ‎04-22-2013

Hi,

your base search | rex "ErrorCode:\s+(?<err_code>\d+)"

This should give you a field called err_code which contains the ErrorCode. You can then use it in stats/tables/charts for reporting, e.g.

... | timechart span=1h count by err_code

UPDATE:

Aah,

The examples above are for the use in an ordinary search, i.e. you enter it into the search bar. your base search would be where you put your sourcetype=xxx etc.
The ... referrs to any previous search statements.

To make it more permanent, you can enter it into the props.conf file (either manually or through the IFX).

The IFX 'syntax' if you were to edit the generated regex, would probably look like;

ErrorCode:\s+(?P<FIELDNAME>\d+)

Then you'll be prompted to give a name for the field (FIELDNAME is just a placeholder).

Or you can put it in the props.conf directly;

[your_sourcetype] EXTRACT-blah = ErrorCode:\s+(?<err_code>\d+)

/K

View solution in original post

kristian_kolb · ‎04-22-2013

Hi,

your base search | rex "ErrorCode:\s+(?<err_code>\d+)"

This should give you a field called err_code which contains the ErrorCode. You can then use it in stats/tables/charts for reporting, e.g.

... | timechart span=1h count by err_code

UPDATE:

Aah,

The examples above are for the use in an ordinary search, i.e. you enter it into the search bar. your base search would be where you put your sourcetype=xxx etc.
The ... referrs to any previous search statements.

To make it more permanent, you can enter it into the props.conf file (either manually or through the IFX).

The IFX 'syntax' if you were to edit the generated regex, would probably look like;

ErrorCode:\s+(?P<FIELDNAME>\d+)

Then you'll be prompted to give a name for the field (FIELDNAME is just a placeholder).

Or you can put it in the props.conf directly;

[your_sourcetype] EXTRACT-blah = ErrorCode:\s+(?<err_code>\d+)

/K

lirumlarum · ‎04-22-2013

Hi Kristian,

thank you for your help 🙂

I forgot to mention that I'm also completely new to Splunk itself ^^
So I'm not sure how to add your expression to Splunk.

The only way I know so far is to do this with the "Interactive field extractor".
But when I insert the phrase in the "Edit" field Splunk returns a syntax error.

Edit1: okay I've got it 🙂 Iserted the expression into the normal search and found the new field err_code.
Thank you so much Kristian!!

RegEx - Get integer behind string

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Data Management Digest – May 2026

Index This | What is feather-light but cannot be held long?

.conf26 Registration is Live: Secure Your Early Bird Pass Now

Join the Conversation