Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Return string of numbers after equals sign

AlexMcDuffMille
Communicator
‎09-23-2013 12:26 PM

I'm trying to create a regex so that I can pull a string of numbers out of a log file.

I can limit my search so that only the specific log files appear, but when I do the interactive field extraction other files show up for some reason...

I have a log file that says "DataX Entry GB= 5123521 Data Entry GB=1265649"

I would like a field in Splunk that just has "1265649" in it for each log entry. Sometimes the number will be more or less digits. I tried making a regex that simply returned a string of numbers after "Data Entry GB=", but that didn't work.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jhupka
Path Finder
‎09-23-2013 12:44 PM

Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:

<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"

Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.

View solution in original post

Reply
Solved! Jump to solution

AlexMcDuffMille
Communicator
‎09-23-2013 01:41 PM

Sorry, I forgot that part. I was using (?=Free Memory KB=)[0-9]+\b

I guess the lookahead method didn't work as the other reply did work for me.

Thanks for your help!

0 Karma
Reply
Solved! Jump to solution
Solution

jhupka
Path Finder
‎09-23-2013 12:44 PM

Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:

<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"

Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎09-23-2013 12:42 PM

Can you post the regular expression you tried? Saying that it "didn't work" is rather open-ended. Note that the markup here will require you to double all of your \ (as in \d, etc).

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...