Solved: Re: field extraction

vinod0313 · ‎05-24-2021

I have logs like below
findContractsByPersonId(String) executed in 463 milliseconds
findContractsByPersonId(String) executed in 4,681 milliseconds
findContractsByPersonId(String) executed in 3,671 milliseconds
findContractsByPersonId(String) executed in 681 milliseconds

and i want to create a field which will give values from log like below
463
4,681
3,671
681

i did filed extraction with below log
findContractsByPersonId(String) executed in 463 milliseconds

i am able to create filed but i can only get non coma separated values, i mean i am getting only
463
681 values
i am not getting coma included values (those are 4,681 and 3,671)
could you please suggest in order to get all the values (comma included values also)

javiergn · ‎05-24-2021

Hi @vinod0313 ,

You could try with the rex command and the following regex for instance:

| rex "in (?<value>[\d\,\.]+) milliseconds$"

Let me know if that helps.

Regards,

J

View solution in original post

vinod0313 · ‎05-24-2021

HI @javiergn

is there any chance we can disply the result without comma.As of now we are getting 2,061 but i want as 2061(comma should not be in the result)

javiergn · ‎05-24-2021

Yes, you can use the rex command again with the mode=sed to remove the comma. Assuming your field name is "value" it would be something like:

| rex field=value mode=sed "s/\,//g"

If that worked for you please don't forget to upvote the answer so that others can benefit from it.

Regards,

J

vinod0313 · ‎05-24-2021

Thanks @javiergn
it worked.

javiergn · ‎05-24-2021

Hi @vinod0313 ,

You could try with the rex command and the following regex for instance:

| rex "in (?<value>[\d\,\.]+) milliseconds$"

Let me know if that helps.

Regards,

J

field extraction

other

Harnessing Splunk’s Federated Search for Amazon S3

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases