trouble with regex

nicolay_koecher · ‎05-29-2015

Hello
I have sone trouble with regex
I want build a table or a chart wirh the following content:

I started with this regex command:
^(?:[^ \n]* ){5}(?P<prn_upd>\w+\s+\w+)
2015-04-25 15:07:17.273 Total number of printers deleted: 2
but this shows only the text printers deleted not the quantity - can anybody help me in this?

lastly the table should look like this:

Date Printer created quantity
date Printer deletet quantity
date printers obsoleted
date printers updated
date errors

this is the origin logfile:
2015-04-25 11:07:30.008 Total number of printers created: 0
2015-04-25 11:07:30.008 Total number of printers deleted: 2
2015-04-25 11:07:30.008 Total number of printers obsoleted: 0
2015-04-25 11:07:30.008 Total number of printers updated: 0
2015-04-25 11:07:30.008 Total number of printers with errors: 0

richgalloway · ‎05-29-2015

Try this. The format will be a little different from what you asked for, but it should get you started.

... | rex "printers (?P<prn_upd>[^:]*):\s*(?P<quantity>\d+)" | stats sum(quantity) as Sum by _time prn_upd | table _time prn_upd Sum`

---
If this reply helps you, Karma would be appreciated.

dmaislin_splunk · ‎05-29-2015

Here is a quick REGEX: https://regex101.com/r/aK7iQ7/5 It could probably be improved.

trouble with regex

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Are you a member of the Splunk Community?

trouble with regex

Celebrating Fast Lane: 2025 Authorized Learning Partner of the Year

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency