Splunk Search
Highlighted

Why is my rex search not extracting the expected value?

New Member

I have a string like this:

dps.qsz=0,dps.lck=false,dps.dis=false,dps.mx=2,dps.ac=0

Now, I want to extract dps.mx=

The current search I have is:

rex field=_raw "dps.mx=(?\d{1,2})" | table AVZE

but it's not giving the exact value 2.

Can anyone help?

0 Karma

Re: Why is my rex search not extracting the expected value?

Splunk Employee
Splunk Employee

Try:

rex "dps\.mx=(?<dpsmx>\d{1,2})"

You need to escape the . earlier on, as well as name the extraction.

Highlighted

Re: Why is my rex search not extracting the expected value?

Champion

Are you sure the field doesn't already exist as dpx_mx? The automatic field extraction should find those key=value pairs in your data due to the format. And it will automatically convert the . to underscore.

If so you could just use that field or rename it to whatever you'd like:

| rename dpx_mx as dpxmx
0 Karma