- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: rex - extract 2 single values from set of numb...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
hello guyz,
new to splunk was to figure out solution for this.
I have logs like below need to do " rex" and extract 2 values (1st and 4th) from each log with set like [23,23.000,89.375,35,0], [1,1.000,16.000,4,0] etc.
ex.,
value1- "23" and save in new field with name conferences from every log
value4- "35" and save in new field with name calls from every log
thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I modified the regex above a little to get the correct fields.
^server:\s\[\w+\]\s:\s{\"\d+\"\s\:\s\[(?P<conferences>\d+),\d+.\d+[^,],\d+.\d+,(?P<calls>\d+),\d+\]\}
If you're new to regex, here's a great website to help. You can use it to try regex expressions and collaborate with others to help you become an expert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
Try this
| makeresults
| eval msg="server: [USAGE] : {\"2\" : [23,23.000,89.375,35,0]}
host = us-voice-vmr11.corp.com"
| append
[| makeresults
| eval msg="server: [USAGE] : {\"2\" : [1,1.000,16.000,4,0]}
host = gs-voice-vmr12.corp.com"]
| rex field=msg "^server:\s\[\w+\]\s:\s\{\"\d+\"\s:\s\[(?P<temp>.+)\]}"
| eval values = split(temp,",")
| eval conferences = mvindex(values,0)
| eval calls = mvindex(values,3)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I modified the regex above a little to get the correct fields.
^server:\s\[\w+\]\s:\s{\"\d+\"\s\:\s\[(?P<conferences>\d+),\d+.\d+[^,],\d+.\d+,(?P<calls>\d+),\d+\]\}
If you're new to regex, here's a great website to help. You can use it to try regex expressions and collaborate with others to help you become an expert.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey @splunkuseradmin ,
Try using this regex:
rex field=_raw "^server:\s\[\w+\]\s:\s{\"\d+\"\s\:\s\[\d+,(?P<conferences>\d+.\d+[^,]),\d+.\d+,(?P<calls>\d+),\d+\]\}"
Let me know if this helps!!
Index This | I’m short for "configuration file.” What am I?
New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...
Your Guide to SPL2 at .conf24!
