Lenart, Do you mean that I should use this in the lookbehind? When I use it directly, I have to put the whole thing in parenthesis, it matches the front of the string i.e. "root: da2 " It appears from research that Java doesn't support lookbehind functions that are of arbitrary length. The + means one or more which makes it arbitrary. I don't know why Java does that, it seems very limiting.
The further confusing part is that this appears to work fine: (?<=\d\.\d\s)\d+(?=\.) I am testing these on http://www.regexplanet.com/advanced/java/index.html Which purports to be a Java regex tester. This site reports three matches on my example line which I didn't think was an issue as the extractor creation page says the first matcher group is used. On Wednesday, May 7, 2014 1:17:35 PM UTC-6, lennart wrote: > > Try this one: ^.+:\s.+?\s(.+?)\s > > On Wed, May 7, 2014 at 6:03 PM, Jarred Masterson > <[email protected] <javascript:>> wrote: > > To confess upfront, I am a noob with RegEx but I've made some decent > > progress in the past few days. I have a couple of extractors working > well > > but I'm running into an issue with one that seems like it should work. > > > > First here is an example line that I am matching against: > > root: da2 75.6 49.7 4743.9 3183.8 6 1.3 6 > > > > This is output from FreeBSD iostat -x and I have working extractors for > the > > device name and the first numbered field which is read operations. I'm > on > > 0.20.1 and I had to pull the digits prior to the decimal place due to > the > > number converter not dealing with floating point numbers. I see from the > > github commits that this has been fixed in 20.2! > > > > I am trying now to pull the second metric which is the write operations > per > > second and in this case is 75.6. > > > > It seems like this should work: > > (?<=\d+\b)\d+(?=\.) > > > > I've also tried to move the \b around such as (?<=\d+)\b\d+(?=\.) I am > also > > a little confused as to if I do or do not need to enclose the whole > thing in > > parenthesis. My working extractors are enclosed in () but I get errors > when > > trying that with the above example. > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "graylog2" group. > > To unsubscribe from this group and stop receiving emails from it, send > an > > email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "graylog2" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
