Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Value that may or may not be there in field extraction

aohls
Contributor
‎07-12-2019 06:42 AM

I am attempting to setup an exctraction for the following; 2 hrs 2 mins 36 secs 312 ms; extracting it as the time values as follows:

(?<hours>\d+) hrs (?<minutes>\d+) mins (?<seconds>\d+) secs (?<milliseconds>\d+) ms

The issue is that at times we will have something line; 1 hr 2 mins 36 secs 312 ms or even just 312 ms. Can I make the extraction account for values that may or may not be there? I know with some regex's before I used a ? to say the value may or may not be there but I am not sure in the field extractor for the full value.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-12-2019 06:54 AM

Something like this: EXTRACT-time = (?<hrs>\d+ hrs?)?\s*(?<mins>\d+ mins?)?\s*(?<secs>\d+ secs?)?\s*(?<ms>\d+ ms)?
https://regex101.com/r/qHE6lA/1

Or if you want to extract the whole things as 1 field: EXTRACT-time = (?<time>(?:\d+ hrs?)?\s*(?:\d+ mins?)?\s*(?:\d+ secs?)?\s*(?:\d+ ms)?)
https://regex101.com/r/qHE6lA/2

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-12-2019 06:54 AM

Something like this: EXTRACT-time = (?<hrs>\d+ hrs?)?\s*(?<mins>\d+ mins?)?\s*(?<secs>\d+ secs?)?\s*(?<ms>\d+ ms)?
https://regex101.com/r/qHE6lA/1

Or if you want to extract the whole things as 1 field: EXTRACT-time = (?<time>(?:\d+ hrs?)?\s*(?:\d+ mins?)?\s*(?:\d+ secs?)?\s*(?:\d+ ms)?)
https://regex101.com/r/qHE6lA/2

Reply
Solved! Jump to solution

aohls
Contributor
‎07-12-2019 07:19 AM

The top gets close, but I do not want the hrs,mins,etc included in the extracted field. for example it is extracting "2 hrs" but I was looking to get "2".

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-12-2019 07:35 AM

Oh, yes, ofcourse: (?<hrs>\d+)?(?: hrs?\s+)?(?<mins>\d+)?(?: mins?\s+)?(?<secs>\d+)?(?: secs?\s+)?(?<ms>\d+)?(?: ms)?
https://regex101.com/r/qHE6lA/3

0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎07-12-2019 08:00 AM

This worked perfect. Using (?: mins?\s+)? I assume is potentially to find the word after, so it may or may not find it due to the ? at the end correct? Just want to make sure to understand it.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-14-2019 01:39 AM

Yes, ? means match 0 or 1 times. So I add that behind each of the groups as well as behind the s in case it shows 1 hr or something like that.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...