How to fix the Splunk regex pattern?

Asked May 06 '22 at 05:30

Active May 06 '22 at 05:30

Viewed 20 times

-1

I am trying to extract the numeric value for a free text field in my Splunk logs which looks like below

Time difference : 443

I am using the below query to extract this field

... | rex field=_raw "Time difference : (?<timeDiff>^\d+$)" | status count(timeDiff) by groupName

However, timeDiff does not extract the numeric value. Am I missing something?

asked May 06 '22 at 05:30

stackoverflowN

1

I haven't used Splunk, but the `^` and `$` are asserts for "beginning" and "end" of line. Your timeDiff doesn't seem to be at the beginning of the line, so at least drop the caret. – Adam Smith May 06 '22 at 05:40
This solved it! Thanks! – stackoverflowN May 07 '22 at 12:27

0 Answers0