Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex expression built with field extractor not working?

nkavouris
Path Finder
‎02-24-2025 10:13 AM

I have a reliable base query to find events containing the information I want.

I built a rex using the field extractor, but applying the rex expression in a search does not yield any results, the values(gts_percent) column is always blank


Sample query:

index="june_analytics_logs_prod" $serial$ log_level=info message=*hardware_controller*|
rex field=message "(?=[^G]*(?:GTS weight:|G.*GTS weight:))^(?:[^\.\n]*\.){7}\d+\w+,\s+\w+:\s+(?P<gts_percent>\d+)"|
convert rmunit(gts_percent)|
chart values(gts_percent) by _time

 

Sample raw_ result :

{"bootcount":8,"device_id":"XXX","environment":"prod_walker","event_source":"appliance","event_type":"GENERIC","local_time":"2025-02-20T00:47:48.124-06:00",
"location":{"city":"XX","country":"XX","latitude":XXX,"longitude":XXX,"state":"XXX"},
"log_level":"info","message":"martini::hardware_controller: GTS weight: 17.05kg, tare weight: 8.1kg, net weight: 8.95kg, fill weight: 6.8kg, percent: 100%\u0000",
"model_number":"XXX","sequence":403659,"serial":"XXX","software_version":"2.3.0.276","ticks":0,"timestamp":1740034068,"timestamp_ms":1740034068124}

 

I am trying to extract the bold value in the raw, Where is my rex messing up?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-24-2025 10:54 AM

The field extractor and erex commands tend to create overly complicated expressions.  This one should work.

| rex field=message "percent: (?<gts_percent>\d+)"

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎02-24-2025 10:54 AM

The field extractor and erex commands tend to create overly complicated expressions.  This one should work.

| rex field=message "percent: (?<gts_percent>\d+)"

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

nkavouris
Path Finder
‎02-24-2025 11:30 AM

this worked like a charm! 
thank you!

Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...