Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex help

agoktas
Communicator
‎12-17-2015 01:38 PM

Hello,

Would anyone know the regex value for the final numeric value after the last comma in the following log entry:

BlahBlah 2015/12/17 13:23:48:266,63

So all I need is the number after the last comma. It can be 1 or more digits (including zero).

I'm creating a named variable, but this doesn't work: 

| rex ", (?P<TrasactionTime>\d+)$" | top 10 TrasactionTime

Thanks!

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

MuS
Legend
‎12-17-2015 01:49 PM

Hi agoktas,

almost correct, your regex has a whitespace too much so this will work:

your search here | rex ",(?<TrasactionTime>\d+)$" | top 10 TrasactionTime

Hope this helps ...

cheers, MuS

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

MuS
Legend
‎12-17-2015 01:49 PM

Hi agoktas,

almost correct, your regex has a whitespace too much so this will work:

your search here | rex ",(?<TrasactionTime>\d+)$" | top 10 TrasactionTime

Hope this helps ...

cheers, MuS

0 Karma
Reply
Solved! Jump to solution

agoktas
Communicator
‎12-17-2015 03:06 PM

Bingo! That's it. 🙂 I knew it was close. 😉

By the way, how do you sort by the values it returns? I noticed if I do a:
| top 10 TrasactionTime
It will only return the 10 most frequent occurred values, versus the top 10 values.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-17-2015 03:11 PM

after the rex instead of top use sort TrasactionTime for ascending or sort - TrasactionTime for descending sort and add also | head 10 at the end to get only the the last 10 result after the sort.

Reply
Solved! Jump to solution

agoktas
Communicator
‎12-17-2015 03:34 PM

Perfect.

One last thing... sorry...
How do you only allow the "TrasactionTime" column to show?

It now displays the TrasactionTime & Rawlog columns. The raw log clutters the panel.

Thanks.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎12-17-2015 04:37 PM

either use:

  | fields TrasactionTime

or 

  | table TrasactionTime

BTW should this be TransactionTime instead of TrasactionTime?

Feel free to up vote the additional answers - thanks :))

Reply
Solved! Jump to solution

agoktas
Communicator
‎12-17-2015 04:42 PM

Table TransactionTime worked perfectly.

fields TransactionTime still had other columns.

Yes, I made a typo. "Transaction" is correct. 😉

Thanks again for all your help!

0 Karma
Reply
Solved! Jump to solution

sundareshr
Legend
‎12-17-2015 01:46 PM

Try this 

... | rex (?<TransactionTime>\d+)$ | top 10 TransactionTime
0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

AppDynamics Summer Webinars

This summer, our mighty AppDynamics team is cooking up some delicious content on YouTube Live to satiate your ...

SOCin’ it to you at Splunk University

Splunk University is expanding its instructor-led learning portfolio with dedicated Security tracks at .conf25 ...

Credit Card Data Protection & PCI Compliance with Splunk Edge Processor

Organizations handling credit card transactions know that PCI DSS compliance is both critical and complex. The ...