topic REX in Splunk Dev

REX

edfigue88 — Wed, 14 Oct 2020 21:45:36 GMT

Hello, I'm not so good with REX formula, if someone can help me and give me some tip for next time, I appreciate, thanks.

I need to extract the balance (50446.50), the info is in field1

'Col1' Endpoint[442] 'DO' Wallet[501] 'Trilogy' Balance '50446.50 USD'

Re: REX

bowesmana — Wed, 14 Oct 2020 22:27:53 GMT

@edfigue88

Try this run anywhere example which shows your data and the necessary rex

| makeresults | eval field1="'Col1' Endpoint[442] 'DO' Wallet[501] 'Trilogy' Balance '50446.50 USD'" | rex field=field1 "Balance\s'(?<Balance>[\d\.]+)"

Hope this helps

Re: REX

edfigue88 — Wed, 14 Oct 2020 23:29:16 GMT

Yes, that work for me, if I want to have the "USD" in my results, what I need to change or include?

Re: REX

edfigue88 — Thu, 15 Oct 2020 00:54:04 GMT

@bowesmana can you help me with this change please

Re: REX

bowesmana — Thu, 15 Oct 2020 01:04:01 GMT

You can either extract the currency as a separate field, like this

| makeresults | eval field1="'Col1' Endpoint[442] 'DO' Wallet[501] 'Trilogy' Balance '50446.50 USD'" | rex field=field1 "Balance\s'(?<Balance>[\d\.]+)\s(?<Currency>\w+)" | eval Amount=Balance." ".Currency

and then you have Balance and Currency, which you can then join together again if you need, or you can extract it as part of the original Balance field like this

| rex field=field1 "Balance\s'(?<Balance>[\d\.]+\s\w+)"

The benefit of using the former approach is you can then use the numeric balance field if you want to make calculations, whereas with the currency as part of the field, you cannot.

Re: REX

bowesmana — Thu, 15 Oct 2020 01:48:03 GMT

The regex101 is a good way to learn and play with regex

https://regex101.com/