Home > Mobile >  Regex in splunk - starting with number and has comma in between
Regex in splunk - starting with number and has comma in between

Time:07-30

I am trying write a regex to extract the number so that I can calculate the sum. Below is the event:

abre0001.pxm:  55 records processed as of 2022-07-28 00:55:51.829407 

abre0001.pxm:  23,555 records processed as of 2022-07-28 00:55:51.829407 

abcd0001.pxm:  23,45,555 records processed as of 2022-07-28 00:55:52.543170

I want to extract the fields 55, 23,555, and 23,45,555 from each event and calculate the sum. However, I am unable to extract the number with a comma in it. I am able to get just the entries with only digits. Below is the regex used.

index="" source="" sourcetype="r"  "ab*0001.pxm" 
| rex field=_raw "pxm:\s (?<value>/d )/s" 
| convert rmcomma(value) 
| stats sum(value) as total_entries

The value field is unable to extract the number having a comma. It only extracts 55 rest of the entries are blank. Not sure what explicitly we need to give here.

CodePudding user response:

| rex field=_raw "pxm:\s (?<value>[\d,] )\s"
| eval value=replace(value,",","")

d, and s are escaped and added "," to group that can be in the named capture group "value"

You then need to remove any commas, since they're not numerical

Page link:https//www.codepudding.com/Mobile/493939.html

Prev:Match a line break on the line before another match
Next:Cannot find name 'AudioDecoder'
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding