Solved: regex statement

JoshuaJohn · ‎08-26-2016

I am trying to extract the response time from this statement (Just the number, not the words response time or the ms behind it)
Here is a regex statement I wrote ((response time: )(\w+)) this is splitting the number into the 3rd group but I am unsure as to how to remove the other two groups from the results as I need them to help with the matching aspect

Here is the statement I am trying to extract from:
<117>Aug 26 15:22:16 777-120 SLAVE[p-core_987734]: 2016-08-26 15:22:16,7t2 INFO [q44760481-48788] 6699-4871-a646-1b15556d queriesAndResponseTimeLogger - Client request: /search?keyword=tools+accessories&sendRefinements=false&count=3, response time: 70 ms, stage1Count=0, stage2Count=13, effectiveStage=STAGE2

The bolded number is the one I want

sundareshr · ‎08-26-2016

Try this regex

"response\stime\:\s+(?<response_time>\d+)\s"

View solution in original post

cdoebert · ‎08-26-2016

Use a positive lookbehind:

(?<=response time: )(\w+)

sundareshr · ‎08-26-2016

Try this regex

"response\stime\:\s+(?<response_time>\d+)\s"

regex statement

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

Join the Conversation