Splunk Search

Why is my rex statement unable to extract the field?

Explorer

I have this rex with an assigned field:

regex _raw="(?<total_GC_time>0?.\d+)" 

I'm searching lines like this:

2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds 

and I'm trying to capture the 0.0... for all lines.

The events come up fine, but when I try to table total_GC_time, all the fields are empty. Is it a problem with the regex _raw call?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi jsiker,

try this regex:

regex _raw="(?<total_GC_time>0\.\d+)"

this will capture only the seconds after .. threads were stopped:

Hope this helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

Try something like this

your base search | rex "(?<total_GC_time>[0-9\.]+)\s*seconds$"

SplunkTrust
SplunkTrust

Hi jsiker,

try this regex:

regex _raw="(?<total_GC_time>0\.\d+)"

this will capture only the seconds after .. threads were stopped:

Hope this helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

btw, you can test your regex with Splunk directly like this:

$SPLUNK_HOME/bin/splunk cmd pcregextest mregex="(?<total_GC_time>0\.\d+)" test_str="2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds"

and the result will look like this:

Original Pattern: '(?<total_GC_time>0\.\d+)'
Expanded Pattern: '(?<total_GC_time>0\.\d+)'
Regex compiled successfully. Capture group count = 1. Named capturing groups = 1.
SUCCESS - match against: '2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds'

#### Capturing group data ##### 
Group |            Name | Value
--------------------------------------
    1 |   total_GC_time | 0.0010090

Explorer

do i do this in the normal search box? i've been unable to get this to work.

0 Karma

SplunkTrust
SplunkTrust

Login to your Splunk Server OS and go to your Splunk install directory like /opt/splunk/bin and run it there

0 Karma

Explorer

haha, if i had access to our Splunk server, life would be grand. sadly i don't. 😞

0 Karma

SplunkTrust
SplunkTrust

@jsiker here comes Web-cli App https://splunkbase.splunk.com/app/1607/ to the rescue 🙂

0 Karma

Motivator

I always just use https://regex101.com/

Depending on the complexity and variability in the logs I'm trying to extract fields from I might do something like this to get at the data

sourcetype = foo | dedup punct | head 10 | table _raw
0 Karma

SplunkTrust
SplunkTrust

Similar, but not as good as @MuS's testing method, specially if you don't have server access

| gentimes start=-1 | eval _raw="2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds" | rex "(?<total_GC_time>[0-9\.]+)\s*seconds$"

This can run in any splunk instance, and I use this for testing my regex.

0 Karma

Explorer

awesome! thanks, both work. i realize now i hadn't had a pipe b/w the rex and the rest of my search. great tip for the testing too, didn't know you could do that!

0 Karma