Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Looking for a regex that extract key=values from same line

YagneshShah1
New Member
‎11-10-2020 11:02 AM

Application log file display below at one of the line, looking for a regex that extract value of "0" / "1" / "2" or "3" in to a variables, which can be used later to draw a line chart

Splunk item Total: [ 0=233 ]

or

Splunk item Total: [ 1=220 ]

or

Splunk item Total: [ 1=220 3=40 ]

or

Splunk item Total: [ 0=50 1=210 3=30 ]

or

Splunk item Total: [ 0=100 1=205 2=10  3=5 ]

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎11-10-2020 04:07 PM

Try using extract command (works on field _raw). A runanywhere example is here:

 

| makeresults
| eval raw=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10  3=5 ]",",")
| mvexpand raw | rename raw as _raw 
| extract kvdelim="=" pairdelim=" " auto=t clean_keys=false
0 Karma
Reply

YagneshShah1
New Member
‎11-11-2020 07:49 AM

I cannot use any of this in extract

(Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ])

as I have mentioned it is not constant it changes, logs sometime display

Splunk item Total: [ 0=233 ]

or

Splunk item Total: [ 1=220 ]

or

Splunk item Total: [ 1=220 3=40 ]

or

Splunk item Total: [ 0=50 1=210 3=30 ]

or

Splunk item Total: [ 0=100 1=205 2=10 3=5 ]

Only think I am interested is if it had "0=" than like to extract that value if it display "1=" than like to extract that value if it display "0=" and "1=" than like to extract both value

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-10-2020 01:33 PM

Using your example data, run this query - is that what you wanted in the rex statement?

| makeresults
| eval fields=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10  3=5 ]",",")
| mvexpand fields
| table fields
| rex field=fields max_match=0 "(?<key>\d+)=(?<value>\d+)"
0 Karma
Reply

YagneshShah1
New Member
‎11-10-2020 03:03 PM

Sorry I confuse you, actually log is printing sometime this 

Splunk item Total: [ 0=233 ]

or sometime this 

Splunk item Total: [ 1=220 ]

and looking for a regex that capture in variable "zero" value 233 and in variable "one" value 220 than I will use variable "zero" and "one  to print line graph 

0 Karma
Reply
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

For the past four years, Splunk has partnered with Enterprise Strategy Group to conduct a survey that gauges ...

Data-Driven Success: Splunk & Financial Services

Splunk streamlines the process of extracting insights from large volumes of data. In this fast-paced world, ...