Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

help with rex

rguntupalli8
New Member
‎05-01-2012 07:58 PM

Trying to evaluate the below:

1min=1;5min=1;60min=1;24hr=1

Below seem to be not working. Anything wrong with this?

| rex field=_raw "1min=(?<1min>.+?);5min=(?<5min>.+?);60min=(?<60min>.+?);24hr=(?<24hr>.+?)"
Tags (1)
0 Karma
Reply

chimell
Motivator
‎12-12-2016 01:33 AM

Hi

Try this search code

.........................|rex field=_raw "1min\=(?<one_min>[^\;])\;5min\=(?<five_min>[^\;])\;60min\=(?<sixty_min>[^\;])\;24hr\=(?<twenty_four_hr>[\d+])"|table one_min five_min sixty_min twenty_four_hr
0 Karma
Reply

kristian_kolb
Ultra Champion
‎05-02-2012 12:25 AM

You could try to be more specific in the matching, like;

rex "1min=(?<1min>\d+);5min=(?<5min>\d+);60min=(?<60min>\d+);24hr=(?<24hr>\d+)"

btw, you don't need the field=_raw, since that is the default.

Or you could look into the DELIMS parameter in transforms.conf

in props.conf

[your_sourcetype]
REPORT-blaha = semicolondelims

in transforms.conf

[semicolondelims]
DELIMS= ";", "="

This tells Splunk that key/value pairs are separated by a semi-colon, and that the keys are separated from the values by an 'equals' character.

http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf

Hope this helps,

Kristian

Reply

MarioM
Motivator
‎05-02-2012 12:17 AM

I am not to sure to understand what you are trying to do. Why not using :

| extract pairdelim=";", kvdelim="=", auto=f
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...