Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Value that may or may not be there in field extraction

aohls
Contributor
‎07-12-2019 06:42 AM

I am attempting to setup an exctraction for the following; 2 hrs 2 mins 36 secs 312 ms; extracting it as the time values as follows:

(?<hours>\d+) hrs (?<minutes>\d+) mins (?<seconds>\d+) secs (?<milliseconds>\d+) ms

The issue is that at times we will have something line; 1 hr 2 mins 36 secs 312 ms or even just 312 ms. Can I make the extraction account for values that may or may not be there? I know with some regex's before I used a ? to say the value may or may not be there but I am not sure in the field extractor for the full value.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-12-2019 06:54 AM

Something like this: EXTRACT-time = (?<hrs>\d+ hrs?)?\s*(?<mins>\d+ mins?)?\s*(?<secs>\d+ secs?)?\s*(?<ms>\d+ ms)?
https://regex101.com/r/qHE6lA/1

Or if you want to extract the whole things as 1 field: EXTRACT-time = (?<time>(?:\d+ hrs?)?\s*(?:\d+ mins?)?\s*(?:\d+ secs?)?\s*(?:\d+ ms)?)
https://regex101.com/r/qHE6lA/2

View solution in original post

Reply
Solved! Jump to solution
Solution

FrankVl
Ultra Champion
‎07-12-2019 06:54 AM

Something like this: EXTRACT-time = (?<hrs>\d+ hrs?)?\s*(?<mins>\d+ mins?)?\s*(?<secs>\d+ secs?)?\s*(?<ms>\d+ ms)?
https://regex101.com/r/qHE6lA/1

Or if you want to extract the whole things as 1 field: EXTRACT-time = (?<time>(?:\d+ hrs?)?\s*(?:\d+ mins?)?\s*(?:\d+ secs?)?\s*(?:\d+ ms)?)
https://regex101.com/r/qHE6lA/2

Reply
Solved! Jump to solution

aohls
Contributor
‎07-12-2019 07:19 AM

The top gets close, but I do not want the hrs,mins,etc included in the extracted field. for example it is extracting "2 hrs" but I was looking to get "2".

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-12-2019 07:35 AM

Oh, yes, ofcourse: (?<hrs>\d+)?(?: hrs?\s+)?(?<mins>\d+)?(?: mins?\s+)?(?<secs>\d+)?(?: secs?\s+)?(?<ms>\d+)?(?: ms)?
https://regex101.com/r/qHE6lA/3

0 Karma
Reply
Solved! Jump to solution

aohls
Contributor
‎07-12-2019 08:00 AM

This worked perfect. Using (?: mins?\s+)? I assume is potentially to find the word after, so it may or may not find it due to the ? at the end correct? Just want to make sure to understand it.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-14-2019 01:39 AM

Yes, ? means match 0 or 1 times. So I add that behind each of the groups as well as behind the s in case it shows 1 hr or something like that.

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...