Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Looking for a regex that extract key=values from same line

YagneshShah1
New Member
‎11-10-2020 11:02 AM

Application log file display below at one of the line, looking for a regex that extract value of "0" / "1" / "2" or "3" in to a variables, which can be used later to draw a line chart

Splunk item Total: [ 0=233 ]

or

Splunk item Total: [ 1=220 ]

or

Splunk item Total: [ 1=220 3=40 ]

or

Splunk item Total: [ 0=50 1=210 3=30 ]

or

Splunk item Total: [ 0=100 1=205 2=10  3=5 ]

Labels (1)
Labels
0 Karma
Reply

somesoni2
Revered Legend
‎11-10-2020 04:07 PM

Try using extract command (works on field _raw). A runanywhere example is here:

 

| makeresults
| eval raw=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10  3=5 ]",",")
| mvexpand raw | rename raw as _raw 
| extract kvdelim="=" pairdelim=" " auto=t clean_keys=false
0 Karma
Reply

YagneshShah1
New Member
‎11-11-2020 07:49 AM

I cannot use any of this in extract

(Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10 3=5 ])

as I have mentioned it is not constant it changes, logs sometime display

Splunk item Total: [ 0=233 ]

or

Splunk item Total: [ 1=220 ]

or

Splunk item Total: [ 1=220 3=40 ]

or

Splunk item Total: [ 0=50 1=210 3=30 ]

or

Splunk item Total: [ 0=100 1=205 2=10 3=5 ]

Only think I am interested is if it had "0=" than like to extract that value if it display "1=" than like to extract that value if it display "0=" and "1=" than like to extract both value

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎11-10-2020 01:33 PM

Using your example data, run this query - is that what you wanted in the rex statement?

| makeresults
| eval fields=split("Splunk item Total: [ 0=233 ],Splunk item Total: [ 1=220 ],Splunk item Total: [ 1=220 3=40 ],Splunk item Total: [ 0=50 1=210 3=30 ],Splunk item Total: [ 0=100 1=205 2=10  3=5 ]",",")
| mvexpand fields
| table fields
| rex field=fields max_match=0 "(?<key>\d+)=(?<value>\d+)"
0 Karma
Reply

YagneshShah1
New Member
‎11-10-2020 03:03 PM

Sorry I confuse you, actually log is printing sometime this 

Splunk item Total: [ 0=233 ]

or sometime this 

Splunk item Total: [ 1=220 ]

and looking for a regex that capture in variable "zero" value 233 and in variable "one" value 220 than I will use variable "zero" and "one  to print line graph 

0 Karma
Reply
Get Updates on the Splunk Community!

Bridging the Gap: Splunk Helps Students Move from Classroom to Career

The Splunk Community is a powerful network of users, educators, and organizations working together to tackle ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureThursday, March 27, 2025  |  11AM PST / 2PM EST | Register NowStep boldly ...