Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex help

agoktas
Communicator
‎12-17-2015 01:38 PM

Hello,

Would anyone know the regex value for the final numeric value after the last comma in the following log entry:

BlahBlah 2015/12/17 13:23:48:266,63

So all I need is the number after the last comma. It can be 1 or more digits (including zero).

I'm creating a named variable, but this doesn't work: 

| rex ", (?P<TrasactionTime>\d+)$" | top 10 TrasactionTime

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-17-2015 01:49 PM

Hi agoktas,

almost correct, your regex has a whitespace too much so this will work:

your search here | rex ",(?<TrasactionTime>\d+)$" | top 10 TrasactionTime

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-17-2015 01:49 PM

Hi agoktas,

almost correct, your regex has a whitespace too much so this will work:

your search here | rex ",(?<TrasactionTime>\d+)$" | top 10 TrasactionTime

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

agoktas
Communicator
‎12-17-2015 03:06 PM

Bingo! That's it. 🙂 I knew it was close. 😉

By the way, how do you sort by the values it returns? I noticed if I do a:
| top 10 TrasactionTime
It will only return the 10 most frequent occurred values, versus the top 10 values.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-17-2015 03:11 PM

after the rex instead of top use sort TrasactionTime for ascending or sort - TrasactionTime for descending sort and add also | head 10 at the end to get only the the last 10 result after the sort.

Reply
Solved! Jump to solution

agoktas
Communicator
‎12-17-2015 03:34 PM

Perfect.

One last thing... sorry...
How do you only allow the "TrasactionTime" column to show?

It now displays the TrasactionTime & Rawlog columns. The raw log clutters the panel.

Thanks.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-17-2015 04:37 PM

either use:

  | fields TrasactionTime

or 

  | table TrasactionTime

BTW should this be TransactionTime instead of TrasactionTime?

Feel free to up vote the additional answers - thanks :))

Reply
Solved! Jump to solution

agoktas
Communicator
‎12-17-2015 04:42 PM

Table TransactionTime worked perfectly.

fields TransactionTime still had other columns.

Yes, I made a typo. "Transaction" is correct. 😉

Thanks again for all your help!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-17-2015 01:46 PM

Try this 

... | rex (?<TransactionTime>\d+)$ | top 10 TransactionTime
0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...