Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

rex extract number

indeed_2000
Motivator
‎01-05-2022 05:30 AM

Hi

2022-01-04 23:10:43,224 INFO [APP] sessionDestroyed, Session Count: 0
2022-01-04 23:12:34,238 INFO [APP] sessionCreated, Session Count: 1

2022-01-04 23:13:43,224 INFO [APP] sessionDestroyed, Session Count: 10
2022-01-04 23:14:34,238 INFO [APP] sessionCreated, Session Count: 7

 

extract output                              sessionCreated            sessionDestroyed

2022-01-04 23:10:43                                                                                0

2022-01-04 23:12:34                           1

2022-01-04 23:13:43                                                                               10

2022-01-04 23:14:34                            7

 

Labels (1)
Labels
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-05-2022 06:17 AM

Hi

You can try this

| rex "sessionCreated, Session Count: (?<sessionCreated>\d+)" 
| rex "sessionDestroyed, Session Count: (?<sessionDestroyed>\d+)"
| table _time sessionCreated sessionDestroyed

r. Ismo 

0 Karma
Reply

indeed_2000
Motivator
‎01-05-2022 09:37 AM

How about single rex?

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-06-2022 01:01 AM
Also that is working, but as you want those to separate variables it's clearer to use two (IMHO)
0 Karma
Reply

indeed_2000
Motivator
‎01-06-2022 01:08 AM

Actually need to show them on timechart but want extract fields with single rex.

any idea?

 Thanks 

0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎01-06-2022 01:27 AM

Maybe this?

| makeresults
| eval _raw="2022-01-04 23:10:43,224 INFO [APP] sessionDestroyed, Session Count: 0
2022-01-04 23:12:34,238 INFO [APP] sessionCreated, Session Count: 1
2022-01-04 23:13:43,224 INFO [APP] sessionDestroyed, Session Count: 10
2022-01-04 23:14:34,238 INFO [APP] sessionCreated, Session Count: 7"
| multikv noheader=t
|  rex "^(?<dt>\d{4}-\d+-\d+ \d+:\d+:\d+,\d+) "
| eval _time = strptime(dt, "%F%T,%3Q")
```Above generates sample data```
| rex "(sessionCreated, Session Count: (?<sessionCreated>\d+))|(sessionDestroyed, Session Count: (?<sessionDestroyed>\d+))"
| table _time sessionCreated sessionDestroyed
Reply

indeed_2000
Motivator
‎01-08-2022 10:53 PM

Thanks, is it possible to extract these fields more efficiently?

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-09-2022 02:10 AM

What is your definition of "efficiently"?

@isoutamo has given you an answer without you having to work it out yourself; it is a single rex, as you asked for; what can be more efficient than that? 😀😀😀

0 Karma
Reply

indeed_2000
Motivator
‎01-09-2022 02:44 AM

I try this spl on large dataset and take long time to extract it, so I'm looking for more efficient way to do this.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-09-2022 02:51 AM

Can you extract the event type and count at indexing time?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

A Guide To Cloud Migration Success

As enterprises’ rapid expansion to the cloud continues, IT leaders are continuously looking for ways to focus ...