Re: regex formation

harsh1734 · ‎08-01-2013

hi,
in my log files there is a field name cpu time with different time values like 57.682 sec,0.572 sec and among the highest it is 1133.982 secs when i am trying to extract 1133.982,it showing me the message..

No regex could be learned. Try providing different examples or restriction
so how can i extract this field

mothmen · ‎08-02-2013

Using the regex to get establish field name can be a pretty big pain.

Unless there's a good reason not to, I'd recommend logging the CPU Time within the .log file as something like: "CPU_Time=1133.982" (minus the quotation marks)

Splunk will automatically create the field "CPU_Time" if you log your information this way. It's extremely convenient.

jonuwz · ‎08-02-2013

... | rex "(?<cpu_time>\d+(?:\.\d+)?) sec"

This looks for a number, optionally followed by .xxxx follwowd by "sec", and sets a field called cpu_time to the number component of the string.

Drainy · ‎08-02-2013

If you could post an example event one of the community or myself could probably write a regex for you

regex formation

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Join the Conversation