Parse out items of a list that has a variable length

Follow
Avatar
Elliott Miller

Give the following log

Successfully processed the following files: [file_1.txt(size=1234), file_2.txt(size=5678), ..., file_n.txt(size=1234)]

I want to perform calculations, such as sum, on file sizes. I have tried using "parse multi" and "split" without any success. I might be doing things wrong and one of those might be the answer. Looking for help on how to parse out a list of items, when that list has a variable length, to then parse out items of that list individually.

0

Comments

3 comments

Sort by Date Votes
  • Avatar
    Harinder Bhandari

    Hi Elliot,

    You should parse regex and use multi option to parse list of items of variable length. For Example:

    | parse regex "size=(?<file_size>.*?)\)\," multi

    https://help.sumologic.com/05Search/Search-Query-Language/01-Parse-Operators/02-Parse-Variable-Patterns-Using-Regex 

    Hope this helps.

    Thanks.

    1
    Comment actions Permalink
  • Avatar
    Kevin Keech2

    Agree with using parse regex / multi. Here is another example that captures the file name as well as the size. 

    | parse regex "(?:\[|,\s+)(?<name>.*?)\(size=(?<size>\d+)\)" multi

    When using the Multi option each instance of the matching string will become a separate message line in the results. You can use the _messageID metadata to sum these up per the original message if this is what you're needing. 

    | parse regex "(?:\[|,\s+)(?<name>.*?)\(size=(?<size>\d+)\)" multi
    | sum(size) as total_size by _messageid
    | fields - _messageid



    1
    Comment actions Permalink
  • Avatar
    Elliott Miller

    Thank you for the help, these answers worked for me!

    I do wish there was some more direct operator that would parse out lists. Regex feels like a hack of a solution. It works, so that's enough for now.

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post