Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Regex help

agoktas
Communicator
‎12-17-2015 01:38 PM

Hello,

Would anyone know the regex value for the final numeric value after the last comma in the following log entry:

BlahBlah 2015/12/17 13:23:48:266,63

So all I need is the number after the last comma. It can be 1 or more digits (including zero).

I'm creating a named variable, but this doesn't work: 

| rex ", (?P<TrasactionTime>\d+)$" | top 10 TrasactionTime

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-17-2015 01:49 PM

Hi agoktas,

almost correct, your regex has a whitespace too much so this will work:

your search here | rex ",(?<TrasactionTime>\d+)$" | top 10 TrasactionTime

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
SplunkTrust
SplunkTrust
‎12-17-2015 01:49 PM

Hi agoktas,

almost correct, your regex has a whitespace too much so this will work:

your search here | rex ",(?<TrasactionTime>\d+)$" | top 10 TrasactionTime

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

agoktas
Communicator
‎12-17-2015 03:06 PM

Bingo! That's it. 🙂 I knew it was close. 😉

By the way, how do you sort by the values it returns? I noticed if I do a:
| top 10 TrasactionTime
It will only return the 10 most frequent occurred values, versus the top 10 values.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-17-2015 03:11 PM

after the rex instead of top use sort TrasactionTime for ascending or sort - TrasactionTime for descending sort and add also | head 10 at the end to get only the the last 10 result after the sort.

Reply
Solved! Jump to solution

agoktas
Communicator
‎12-17-2015 03:34 PM

Perfect.

One last thing... sorry...
How do you only allow the "TrasactionTime" column to show?

It now displays the TrasactionTime & Rawlog columns. The raw log clutters the panel.

Thanks.

0 Karma
Reply
Solved! Jump to solution

MuS
SplunkTrust
SplunkTrust
‎12-17-2015 04:37 PM

either use:

  | fields TrasactionTime

or 

  | table TrasactionTime

BTW should this be TransactionTime instead of TrasactionTime?

Feel free to up vote the additional answers - thanks :))

Reply
Solved! Jump to solution

agoktas
Communicator
‎12-17-2015 04:42 PM

Table TransactionTime worked perfectly.

fields TransactionTime still had other columns.

Yes, I made a typo. "Transaction" is correct. 😉

Thanks again for all your help!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-17-2015 01:46 PM

Try this 

... | rex (?<TransactionTime>\d+)$ | top 10 TransactionTime
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...