Hi guys, 
I'm absolutely new to RegEx and I'm very fascinated how powerfull RegEx is.
I'm trying to get an integer value that is placed behind a specific string.
This string and the integer value may appear at several places in a logfile.
Here is an example of the file:
4/11/2013;4:22:00 PM;Server konnte nicht gestartet werden, falsche Server IP/Name
4/13/2013;2:26:31 PM;Server konnte nicht gestartet werden, falsche Server IP/Name
4/14/2013;2:01:01 AM;Backup Fehler: (db1)
4/14/2013;2:01:02 AM;
4/14/2013;2:01:03 AM;ErrorCode: 17
Server offline
Der Datenbankeserver reagiert nicht.
I've been playing around with PowerGREP and RegexMagic but I didn't create one single expression that is correct for Splunk ^^
All I want to create is a new field, with the ErrorCode integer to get an overview which errors occur how often.
Can someone help me with creating this expression?
Thank you in advance 🙂
Hi,
your base search | rex "ErrorCode:\s+(?<err_code>\d+)"
This should give you a field called err_code which contains the ErrorCode. You can then use it in stats/tables/charts for reporting, e.g.
... | timechart span=1h count by err_code
UPDATE:
Aah,
The examples above are for the use in an ordinary search, i.e. you enter it into the search bar. your base search would be where you put your sourcetype=xxx etc. 
The ... referrs to any previous search statements.
To make it more permanent, you can enter it into the props.conf file (either manually or through the IFX).
The IFX 'syntax' if you were to edit the generated regex, would probably look like;
ErrorCode:\s+(?P<FIELDNAME>\d+)
Then you'll be prompted to give a name for the field (FIELDNAME is just a placeholder).
Or you can put it in the props.conf directly;
[your_sourcetype]
EXTRACT-blah =  ErrorCode:\s+(?<err_code>\d+)
/K
Hi,
your base search | rex "ErrorCode:\s+(?<err_code>\d+)"
This should give you a field called err_code which contains the ErrorCode. You can then use it in stats/tables/charts for reporting, e.g.
... | timechart span=1h count by err_code
UPDATE:
Aah,
The examples above are for the use in an ordinary search, i.e. you enter it into the search bar. your base search would be where you put your sourcetype=xxx etc. 
The ... referrs to any previous search statements.
To make it more permanent, you can enter it into the props.conf file (either manually or through the IFX).
The IFX 'syntax' if you were to edit the generated regex, would probably look like;
ErrorCode:\s+(?P<FIELDNAME>\d+)
Then you'll be prompted to give a name for the field (FIELDNAME is just a placeholder).
Or you can put it in the props.conf directly;
[your_sourcetype]
EXTRACT-blah =  ErrorCode:\s+(?<err_code>\d+)
/K
Hi Kristian,
thank you for your help 🙂
I forgot to mention that I'm also completely new to Splunk itself ^^
So I'm not sure how to add your expression to Splunk.
The only way I know so far is to do this with the "Interactive field extractor".
But when I insert the phrase in the "Edit" field Splunk returns a syntax error.
Edit1: okay I've got it 🙂  Iserted the expression into the normal search and found the new field err_code.
Thank you so much Kristian!!
