help with rex

rguntupalli8 · ‎05-01-2012

Trying to evaluate the below:

1min=1;5min=1;60min=1;24hr=1

Below seem to be not working. Anything wrong with this?

| rex field=_raw "1min=(?<1min>.+?);5min=(?<5min>.+?);60min=(?<60min>.+?);24hr=(?<24hr>.+?)"

chimell · ‎12-12-2016

Hi

Try this search code

.........................|rex field=_raw "1min\=(?<one_min>[^\;])\;5min\=(?<five_min>[^\;])\;60min\=(?<sixty_min>[^\;])\;24hr\=(?<twenty_four_hr>[\d+])"|table one_min five_min sixty_min twenty_four_hr

kristian_kolb · ‎05-02-2012

You could try to be more specific in the matching, like;

rex "1min=(?<1min>\d+);5min=(?<5min>\d+);60min=(?<60min>\d+);24hr=(?<24hr>\d+)"

btw, you don't need the field=_raw, since that is the default.

Or you could look into the DELIMS parameter in transforms.conf

in props.conf

[your_sourcetype]
REPORT-blaha = semicolondelims

in transforms.conf

[semicolondelims]
DELIMS= ";", "="

This tells Splunk that key/value pairs are separated by a semi-colon, and that the keys are separated from the values by an 'equals' character.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf

Hope this helps,

Kristian

MarioM · ‎05-02-2012

I am not to sure to understand what you are trying to do. Why not using :

| extract pairdelim=";", kvdelim="=", auto=f

help with rex

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Join the Conversation

help with rex

Data Management Digest – December 2025

Index This | What is broken 80% of the time by February?

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...