Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

rex - extract 2 single values from set of numbers

splunkuseradmin
Path Finder
‎05-16-2019 05:34 PM

hello guyz,

new to splunk was to figure out solution for this.
I have logs like below need to do " rex" and extract 2 values (1st and 4th) from each log with set like [23,23.000,89.375,35,0], [1,1.000,16.000,4,0] etc.
ex.,
value1- "23" and save in new field with name conferences from every log
value4- "35" and save in new field with name calls from every log
thanks

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

memarshall63
Communicator
‎05-17-2019 05:16 AM

I modified the regex above a little to get the correct fields.

^server:\s\[\w+\]\s:\s{\"\d+\"\s\:\s\[(?P<conferences>\d+),\d+.\d+[^,],\d+.\d+,(?P<calls>\d+),\d+\]\}

If you're new to regex, here's a great website to help. You can use it to try regex expressions and collaborate with others to help you become an expert.

https://regex101.com/r/DAog06/1/

View solution in original post

0 Karma
Reply
Solved! Jump to solution

vnravikumar
Champion
‎05-17-2019 05:24 AM

Hi

Try this

| makeresults 
| eval msg="server: [USAGE] : {\"2\" : [23,23.000,89.375,35,0]}
host = us-voice-vmr11.corp.com" 
| append 
    [| makeresults 
    | eval msg="server: [USAGE] : {\"2\" : [1,1.000,16.000,4,0]}
host = gs-voice-vmr12.corp.com"] 
| rex field=msg "^server:\s\[\w+\]\s:\s\{\"\d+\"\s:\s\[(?P<temp>.+)\]}" 
| eval values = split(temp,",") 
| eval conferences = mvindex(values,0) 
| eval calls = mvindex(values,3)
0 Karma
Reply
Solved! Jump to solution
Solution

memarshall63
Communicator
‎05-17-2019 05:16 AM

I modified the regex above a little to get the correct fields.

^server:\s\[\w+\]\s:\s{\"\d+\"\s\:\s\[(?P<conferences>\d+),\d+.\d+[^,],\d+.\d+,(?P<calls>\d+),\d+\]\}

If you're new to regex, here's a great website to help. You can use it to try regex expressions and collaborate with others to help you become an expert.

https://regex101.com/r/DAog06/1/

0 Karma
Reply
Solved! Jump to solution

deepashri_123
Motivator
‎05-17-2019 04:59 AM

Hey @splunkuseradmin ,

Try using this regex:

rex field=_raw "^server:\s\[\w+\]\s:\s{\"\d+\"\s\:\s\[\d+,(?P<conferences>\d+.\d+[^,]),\d+.\d+,(?P<calls>\d+),\d+\]\}"

Let me know if this helps!!

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...