Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Rex field extraction

michaeler
Communicator
‎01-26-2023 07:34 AM

I am trying to determine the average time for a set of issues to get resolved. I already created a field named "Duration" that extracts the time periods, the issue is that they're labeled in different time formats, with some combination of Day Hour Minute (ex. 4d 7h 20m, 1d 13m, 7h 43m, 5h, 25m).

Duration is a rex created field which pulls the info from a string that looks something like this:

issue="D830 System Down - 1930E 13 Jan - 2240 14 Jan (1d 3h 10m) - MU3892"

Here is part of the search:

index=main ...................
.
.
| rex field=issue ".*\((?P<Duration>\d[^\)]+"
| rex field=Duration "((?P<Days>\d{0,2})d\s)?((?P<Hours>\d{0,2})h\s)?(?P<Mins>\d{0,2})m"
| eval Days=tonumber(Days)
eval Hours=tonumber(Hours)
eval Mins=tonumber(Mins)
| eval MTTR=((Days*1440)+(Hours*60)+(Mins))/60
| table Duration Days Hours Mins MTTR

Two combinations work successfully - 1d 12m and 43m
Anything that includes the Hours field breaks the rex:
- 1d 10h 20m and 20h 10m only pulls Mins
- 5h doesn't work at all

I ran it in regex101 and it should work for all. What is wrong with my "rex field=Duration " line?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-26-2023 07:54 AM

You need to allow for there not being a space after h (and d for that matter) and for minutes to be optional

((?P<Days>\d{0,2})d\s*)?((?P<Hours>\d{0,2})h\s*)?((?P<Mins>\d{0,2})m)?

https://regex101.com/r/nLGQRT/1

View solution in original post

Reply
Solved! Jump to solution

michaeler
Communicator
‎01-26-2023 08:03 AM

Update: I altered the rex and am now extracting all combinations except ones that only include Hours (ex 5h, 19h). 3d 7h 20m and 7d 20m are not successful.

Here is the update:

rex field=Duration "((?P<Days>\d{0,2})d\s)?((?P<Hours>\d{0,2})h\s)?((?P<Mins>\d{0,2})m)?"

Would it be easier just to do a separate rex to pull times that only include h?

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-26-2023 08:19 AM

You have probably already worked out that you had not included the "*" after the "\s" for both days and hours.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎01-26-2023 07:54 AM

You need to allow for there not being a space after h (and d for that matter) and for minutes to be optional

((?P<Days>\d{0,2})d\s*)?((?P<Hours>\d{0,2})h\s*)?((?P<Mins>\d{0,2})m)?

https://regex101.com/r/nLGQRT/1

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...