Solved: Re: Regex to extract a number from string

ahogbin · ‎02-02-2016

Hello,

I am trying (rather unsuccessfully) to extract a number of varying length form a sting. The constants are 0s and us with the string in question being 0s/XXXXXus (with X being the numbers I am trying to extract - the number length varies).

I have tried some examples but none do what i am after (most likely due to the fact that I am not sure how best to modify them).

My expression is "0s/(?\d+)us$" but as mentioned above it is not working.

Help !!!

Much thanks in adavance for any help or pointers.

Cheers,

Alastair

somesoni2 · ‎02-02-2016

Without sample data, it would be tough to provide most correct option but give this a try

your base search | rex field=_raw "0s\/(?<YourNumber>\d+)us$"

View solution in original post

ramark · ‎03-08-2019

I want extract 301. Log "GET / HTTP/1.1" 301 248.
Thanks,I want to extract 301 in "GET / HTTP/1.1" 301 248. Any help.
Thanks

macadminrohit · ‎03-08-2019

"GET \/ HTTP\/\d.\d" (?\d{3})

ramark · ‎03-08-2019

|rex field=_raw "GET \/ HTTP\/\d.\d" (?\d{3})

Error in 'rex' command: The regex 'GET \/ HTTP\/\d.\d' does not extract anything. It should specify at least one named group. Format: (?...).

ramark · ‎03-08-2019

thanks for the help

macadminrohit · ‎03-08-2019

"GET \/ HTTP\/\d.\d" (?<Number>\d{3})

Not sure why the named group got missed in my response.

richgalloway · ‎03-08-2019

@ramark This thread is more than three years old and has an accepted answer so it's unlikely anyone will see your response. If you are having a similar problem, please post a new question describing it and how this answer did not solve it.

---
If this reply helps you, Karma would be appreciated.

somesoni2 · ‎02-02-2016

Without sample data, it would be tough to provide most correct option but give this a try

your base search | rex field=_raw "0s\/(?<YourNumber>\d+)us$"

Lowell · ‎02-03-2016

I've found regex101.com to be very helpful debugging regexes, and there's a good bit of online help available on the page if you need a refresher on regex syntax. For learning regexes and advanced topics, check out www.regular-expressions.info

ahogbin · ‎02-02-2016

Umm... still no joy.

The sample data is
10.93.10.26 - - [03/Feb/2016:11:02:41 +1100] "POST /web/uw-wbc/motor-quote?p_auth=9TDBHxxK&p_p_id=InternetMotorQuotePortlet_WAR_UnderwritingManagementView&p_p_lifecycle=1&p_p_state=normal&p_p_mode=view&p_p_col_id=column-1&p_p_col_count=2&p_p_col_pos=1&InternetMotorQuotePortlet_WAR_UnderwritingManagementViewfacesViewIdRender=%2FWEB-INF%2Fpages%2Fquote%2Fmotor-internet%2FvehicleDetailsInternet.xhtml HTTP/1.1" 200 98343 "https://www.einsure.com.au/safire/web/uw-wbc/motor-quote?p_auth=9TDBHxxK&p_p_id=InternetMotorQuotePo..._facesViewIdRender=%2FWEB-INF%2Fpages%2Fquote%2Fmotor-internet%2FyourDetails.xhtml" "Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko" - 98343 bytes 1s/1754987us Unauthenticated 00009CLAaSHjoHtKqKTPFURE3ob:18mta0ukm

and the attempted extraction appears towards the end of the sample (after the word bytes). I have amended to include the varying number before 's'

rex field=_raw "\ds\/(?<RESP>\d+)us$"

Thank you for the help so far

Cheers,

Alastair

Richfez · ‎02-02-2016

If you have difficulty, try removing the trailing $ sign. In that context it means "the end of the entire line" and as somesoni2 mentioned without sample data it's hard to confirm if it's the end of the string or not.

your base search | rex field=_raw "0s\/(?<YourNumber>\d+)us"

ahogbin · ‎02-02-2016

Perfect... as you suggested I just needed to remove the trailing $ as the data did not occur at the end of the line.

Please ignore the post below

Thank you so much

Regex to extract a number from string

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms