Splunk Search

Why is my rex statement unable to extract the field?

Explorer

I have this rex with an assigned field:

regex _raw="(?<total_GC_time>0?.\d+)" 

I'm searching lines like this:

2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds 

and I'm trying to capture the 0.0... for all lines.

The events come up fine, but when I try to table total_GC_time, all the fields are empty. Is it a problem with the regex _raw call?

0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi jsiker,

try this regex:

regex _raw="(?<total_GC_time>0\.\d+)"

this will capture only the seconds after .. threads were stopped:

Hope this helps ...

cheers, MuS

View solution in original post

Revered Legend

Try something like this

your base search | rex "(?<total_GC_time>[0-9\.]+)\s*seconds$"

SplunkTrust
SplunkTrust

Hi jsiker,

try this regex:

regex _raw="(?<total_GC_time>0\.\d+)"

this will capture only the seconds after .. threads were stopped:

Hope this helps ...

cheers, MuS

View solution in original post

SplunkTrust
SplunkTrust

btw, you can test your regex with Splunk directly like this:

$SPLUNK_HOME/bin/splunk cmd pcregextest mregex="(?<total_GC_time>0\.\d+)" test_str="2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds"

and the result will look like this:

Original Pattern: '(?<total_GC_time>0\.\d+)'
Expanded Pattern: '(?<total_GC_time>0\.\d+)'
Regex compiled successfully. Capture group count = 1. Named capturing groups = 1.
SUCCESS - match against: '2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds'

#### Capturing group data ##### 
Group |            Name | Value
--------------------------------------
    1 |   total_GC_time | 0.0010090

Explorer

do i do this in the normal search box? i've been unable to get this to work.

0 Karma

SplunkTrust
SplunkTrust

Login to your Splunk Server OS and go to your Splunk install directory like /opt/splunk/bin and run it there

0 Karma

Explorer

haha, if i had access to our Splunk server, life would be grand. sadly i don't. 😞

0 Karma

SplunkTrust
SplunkTrust

@jsiker here comes Web-cli App https://splunkbase.splunk.com/app/1607/ to the rescue 🙂

0 Karma

Motivator

I always just use https://regex101.com/

Depending on the complexity and variability in the logs I'm trying to extract fields from I might do something like this to get at the data

sourcetype = foo | dedup punct | head 10 | table _raw
0 Karma

Revered Legend

Similar, but not as good as @MuS's testing method, specially if you don't have server access

| gentimes start=-1 | eval _raw="2015-09-10T16:46:31.320-0400: 861067.833: Total time for which application threads were stopped: 0.0010090 seconds" | rex "(?<total_GC_time>[0-9\.]+)\s*seconds$"

This can run in any splunk instance, and I use this for testing my regex.

0 Karma

Explorer

awesome! thanks, both work. i realize now i hadn't had a pipe b/w the rex and the rest of my search. great tip for the testing too, didn't know you could do that!

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!