help with rex

rguntupalli8 · ‎05-01-2012

Trying to evaluate the below:

1min=1;5min=1;60min=1;24hr=1

Below seem to be not working. Anything wrong with this?

| rex field=_raw "1min=(?<1min>.+?);5min=(?<5min>.+?);60min=(?<60min>.+?);24hr=(?<24hr>.+?)"

chimell · ‎12-12-2016

Hi

Try this search code

.........................|rex field=_raw "1min\=(?<one_min>[^\;])\;5min\=(?<five_min>[^\;])\;60min\=(?<sixty_min>[^\;])\;24hr\=(?<twenty_four_hr>[\d+])"|table one_min five_min sixty_min twenty_four_hr

kristian_kolb · ‎05-02-2012

You could try to be more specific in the matching, like;

rex "1min=(?<1min>\d+);5min=(?<5min>\d+);60min=(?<60min>\d+);24hr=(?<24hr>\d+)"

btw, you don't need the field=_raw, since that is the default.

Or you could look into the DELIMS parameter in transforms.conf

in props.conf

[your_sourcetype]
REPORT-blaha = semicolondelims

in transforms.conf

[semicolondelims]
DELIMS= ";", "="

This tells Splunk that key/value pairs are separated by a semi-colon, and that the keys are separated from the values by an 'equals' character.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf

Hope this helps,

Kristian

MarioM · ‎05-02-2012

I am not to sure to understand what you are trying to do. Why not using :

| extract pairdelim=";", kvdelim="=", auto=f

help with rex

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!

Join the Conversation

help with rex

Accelerating Observability as Code with the Splunk AI Assistant

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

Congratulations to the 2025-2026 SplunkTrust!