Splunk Search
Highlighted

need help with extracting a millisecond value from log events into a variable by using rex

New Member

Hi ,

I am trying to come up with a rex expression to fetch the millisecond value appearing in the log events displayed below into a variable.

2011-08-01 14:27:24,758 INFO - 8009-4 - Successfully got security suite status to user account: 135 via securitySuite in 94 milliseconds.
2011-08-01 14:24:44,572 INFO - 8009-3 - Successfully got security suite status to user account: 138 via securitySuite in 129 milliseconds.
2011-08-01 14:23:09,193 INFO - 8009-1 - Successfully got security suite status to user account: 130 via securitySuite in 113 milliseconds.
2011-08-01 14:21:23,214 INFO - 8009-1 - Successfully got security suite status to user account: 130 via securitySuite in 1699 milliseconds.
2011-08-01 14:18:27,395 INFO - 8009-4 - Successfully got security suite status to user account: 130 via securitySuite in 112 milliseconds.

From these events, i am trying to fetch the millisecond values: 94 / 129 / 113/ 112 in a variable, so that I can have a variable say “msec” and it will have the millisecond value for each field , i.e msec=94 , msec=129 , msec=113 , m_sec=112.

Can you please help me with the rex expression to fetch these values. I have tried the field extraction and it is not able to create a field with these values.

0 Karma
Highlighted

Re: need help with extracting a millisecond value from log events into a variable by using rex

Legend

Try this:

in (?<m_sec>\d+) milliseconds
0 Karma
Highlighted

Re: need help with extracting a millisecond value from log events into a variable by using rex

Legend

Meh, the Answers site is adding another \ in the regex. That should be just one \ in front of d+.

0 Karma