Solved: Trouble extracting field using regex

gopx101 · ‎05-02-2019

I'm having an issue using regex to extract some _raw data and I hope someone can help me.

The below regex examples works successfully in a regex checker but not in Splunk.

Regex:
^(?:query\/time\",\"value\":)(?P\d+) OR
^(query\/time\",\"value\":)(?P\d+)

Data from Splunk _raw
"query/time\",\"value\":319

In this example I need to place 319 into variable query_time

Thanks in advance to anyone that can provide a regex that will work in Splunk.

somesoni2 · ‎05-02-2019

Give this a try

\"query\/time[^\:]+\:(?<YourFieldNameHere>\d+)

pruthvikrishnap · ‎05-02-2019

Try this :(.*)$
Let me know if this works

somesoni2 · ‎05-02-2019

Give this a try

\"query\/time[^\:]+\:(?<YourFieldNameHere>\d+)

lakromani · ‎05-02-2019

Are you sure you need to escape the : ?
Your suggestion

[^\:]+\:

I think this should work

[^:]+:

gopx101 · ‎05-02-2019

This worked perfectly. Thank you.

Trouble extracting field using regex