Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

What is a regular expression that ignores whitespace and text, and captures only numbers of varying lengths?

Lucas_Henry_
New Member
‎08-05-2016 07:56 AM

I'm trying to write a regular expression that will find only the numbers in the string of text below:

MemTotal: 16328352 kB

I don't want the alphabetical or whitespace characters. I just want (in this example) "16328352".

I can't find a specification on a regular expression that will ignore certain data types, however.

0 Karma
Reply

sundareshr
Legend
‎08-05-2016 10:41 AM

You already have 4 options, why not one more 🙂 Try this

MemTotal:\s*(?<mem>\d+)"
0 Karma
Reply

somesoni2
Revered Legend
‎08-05-2016 08:24 AM

Give this a shot

MemTotal\:\s+(?<MemoryTotal>[^\s]+)
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-05-2016 08:20 AM

edit - tried this and its working good.

sourcetype=rexmemtotal | rex field=_raw "(MemTotal:\s+(?P<rexmemtotal>\d+))" | table rexmemtotal _raw
thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

inventsekar
SplunkTrust
SplunkTrust
‎08-05-2016 08:41 AM

splunk document link for rex learning
http://docs.splunk.com/Documentation/Splunk/6.4.2/Knowledge/AboutSplunkregularexpressions
http://docs.splunk.com/Documentation/Splunk/6.4.2/SearchReference/Rex

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-05-2016 08:00 AM

Try this

... | rex (?P<MemTotal>(?<=MemTotal\:\s)\d+(?=\s\w{2}))

Reply

Lucas_Henry_
New Member
‎08-05-2016 08:08 AM

What would this look like if I were to plug it into the field extractor tool?

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-05-2016 08:10 AM

Like this

(?P<MemTotal>(?<=MemTotal\:\s)\d+(?=\s\w{2}))

0 Karma
Reply

Lucas_Henry_
New Member
‎08-05-2016 08:13 AM

Still nothing, unfortunately.

If it helps, the amount of whitespace and the number of integers will vary between records.

0 Karma
Reply

skoelpin
SplunkTrust
SplunkTrust
‎08-05-2016 08:31 AM

Ahh yeah the amount of whitespace mattered, but this should work

(?P<MemTotal>MemTotal\:\s+(?<MemoryTotal>[^\s]+))

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-05-2016 08:00 AM

Try "MemTotal: (?<memTotal>\d+)".

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Lucas_Henry_
New Member
‎08-05-2016 08:09 AM

No dice. It didn't extract anything.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-05-2016 08:13 AM

Did you use it in a rex command?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

Lucas_Henry_
New Member
‎08-05-2016 08:14 AM

No. I'm trying to use the field extractor because the info is for a non-dev unit

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...