Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Why is my rex search not extracting the expected value?

chsanth
New Member
‎03-24-2015 02:36 PM

I have a string like this:

dps.qsz=0,dps.lck=false,dps.dis=false,dps.mx=2,dps.ac=0

Now, I want to extract dps.mx=

The current search I have is:

rex field=_raw "dps.mx=(?\d{1,2})" | table AVZE

but it's not giving the exact value 2.

Can anyone help?

0 Karma
Reply

the_wolverine
Champion
‎03-24-2015 08:21 PM

Are you sure the field doesn't already exist as dpx_mx? The automatic field extraction should find those key=value pairs in your data due to the format. And it will automatically convert the . to underscore.

If so you could just use that field or rename it to whatever you'd like:

| rename dpx_mx as dpxmx
0 Karma
Reply

aljohnson_splun
Splunk Employee
Splunk Employee
‎03-24-2015 02:53 PM

Try:

rex "dps\.mx=(?<dpsmx>\d{1,2})"

You need to escape the . earlier on, as well as name the extraction.

Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...