Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Return string of numbers after equals sign

AlexMcDuffMille
Communicator
‎09-23-2013 12:26 PM

I'm trying to create a regex so that I can pull a string of numbers out of a log file.

I can limit my search so that only the specific log files appear, but when I do the interactive field extraction other files show up for some reason...

I have a log file that says "DataX Entry GB= 5123521 Data Entry GB=1265649"

I would like a field in Splunk that just has "1265649" in it for each log entry. Sometimes the number will be more or less digits. I tried making a regex that simply returned a string of numbers after "Data Entry GB=", but that didn't work.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jhupka
Path Finder
‎09-23-2013 12:44 PM

Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:

<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"

Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.

View solution in original post

Reply
Solved! Jump to solution

AlexMcDuffMille
Communicator
‎09-23-2013 01:41 PM

Sorry, I forgot that part. I was using (?=Free Memory KB=)[0-9]+\b

I guess the lookahead method didn't work as the other reply did work for me.

Thanks for your help!

0 Karma
Reply
Solved! Jump to solution
Solution

jhupka
Path Finder
‎09-23-2013 12:44 PM

Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:

<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"

Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎09-23-2013 12:42 PM

Can you post the regular expression you tried? Saying that it "didn't work" is rather open-ended. Note that the markup here will require you to double all of your \ (as in \d, etc).

0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...