Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Return string of numbers after equals sign

AlexMcDuffMille
Communicator
‎09-23-2013 12:26 PM

I'm trying to create a regex so that I can pull a string of numbers out of a log file.

I can limit my search so that only the specific log files appear, but when I do the interactive field extraction other files show up for some reason...

I have a log file that says "DataX Entry GB= 5123521 Data Entry GB=1265649"

I would like a field in Splunk that just has "1265649" in it for each log entry. Sometimes the number will be more or less digits. I tried making a regex that simply returned a string of numbers after "Data Entry GB=", but that didn't work.

Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jhupka
Path Finder
‎09-23-2013 12:44 PM

Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:

<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"

Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.

View solution in original post

Reply
Solved! Jump to solution

AlexMcDuffMille
Communicator
‎09-23-2013 01:41 PM

Sorry, I forgot that part. I was using (?=Free Memory KB=)[0-9]+\b

I guess the lookahead method didn't work as the other reply did work for me.

Thanks for your help!

0 Karma
Reply
Solved! Jump to solution
Solution

jhupka
Path Finder
‎09-23-2013 12:44 PM

Could you use the rex command to extract these? Here's an example that pulls out the two GB values in fields named DataXGB and DataGB:

<first part of your search> | rex "DataX Entry GB=(?<DataXGB>\d+) Data Entry GB=(?<DataGB>\d+)"

Note that the rex command is working over the _raw field by default...so you might need to adjust the regex a bit if your data doesn't appear exactly in _raw like in your question.

Reply
Solved! Jump to solution

sowings
Splunk Employee
Splunk Employee
‎09-23-2013 12:42 PM

Can you post the regular expression you tried? Saying that it "didn't work" is rather open-ended. Note that the markup here will require you to double all of your \ (as in \d, etc).

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...