Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Return string of numbers after equals sign

AlexMcDuffMille
Communicator
‎09-23-2013 12:26 PM

I'm trying to create a regex so that I can pull a string of numbers out of a log file.

I can limit my search so that only the specific log files appear, but when I do the interactive field extraction other files show up for some reason...

I have a log file that says "DataX Entry GB= 5123521 Data Entry GB=1265649"

I would like a field in Splunk that just has "1265649" in it for each log entry. Sometimes the number will be more or less digits. I tried making a regex that simply returned a string of numbers after "Data Entry GB=", but that didn't work.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jhupka
Path Finder
‎09-23-2013 12:44 PM

Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:

<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"

Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.

View solution in original post

Reply
Solved! Jump to solution

AlexMcDuffMille
Communicator
‎09-23-2013 01:41 PM

Sorry, I forgot that part. I was using (?=Free Memory KB=)[0-9]+\b

I guess the lookahead method didn't work as the other reply did work for me.

Thanks for your help!

0 Karma
Reply
Solved! Jump to solution
Solution

jhupka
Path Finder
‎09-23-2013 12:44 PM

Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:

<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"

Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎09-23-2013 12:42 PM

Can you post the regular expression you tried? Saying that it "didn't work" is rather open-ended. Note that the markup here will require you to double all of your \ (as in \d, etc).

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...