topic How do you use the rex command to calculate a value? in Splunk Search

How do you use the rex command to calculate a value?

Danielle2018V — Wed, 20 Jun 2018 20:36:33 GMT

Hello,

I'm new to Splunk and I have the following field and want to grab the subtotal of the field total using the rex_raw field.

This is the field in the log file

 "total"=>"$37.05",

This is the code I wrote any idea why it's not working?

index="test" "Splunktest" "Refund succeeded" "current_cty_domain : US"  | rex  field=_raw "total\"=>\"$\"(?<refund_amount>.*)\"" | stats sum(refund_amount) as amount_refunded

Re: How do you use the rex command to calculate a value?

darrenfuller — Wed, 20 Jun 2018 20:55:50 GMT

Hey..

You didn't make any fields in your regular expression. For rex to work you need to have a regular expression with at least one named capture group like: (?pattern)

try something like:

index="test" "Splunktest" "Refund succeeded" "current_cty_domain : US" 
| rex field=_raw "total\"=>\"$(?<refund_amount>[^\"]+)\"" 
| stats sum(refund_amount) as amount_refunded

Re: How do you use the rex command to calculate a value?

ddrillic — Wed, 20 Jun 2018 20:56:15 GMT

Something like - "total"=>\$(?<sum>.*)

Re: How do you use the rex command to calculate a value?

somesoni2 — Wed, 20 Jun 2018 21:07:13 GMT

Try this

index="test" "Splunktest" "Refund succeeded" "current_cty_domain : US" 
| rex  field=_raw "total\"\=\>\"\$(?<refund_amount>.*)\""
 | stats sum(refund_amount) as amount_refunded

See this runanywhere sample search

| gentimes start=-1 | eval _raw="Somes other test  \"total\"=>\"$37.05\", more text" | table _raw | rex  field=_raw "total\"\=\>\"\$(?<refund_amount>.*)\""

Re: How do you use the rex command to calculate a value?

Danielle2018V — Tue, 29 Sep 2020 20:06:44 GMT

Thanks everyone for the speedy responses. I tried all three suggestions but still received the same error "no results found". Below is a sample of the log file. You can see that the total is $52.99 but still no results were found.Is the rex command the most appropriate solution to gather a subtotal of the total field?

Thanks

"$0.00", "raw_discount"=>0, "shipping_cost"=>"$0.00", "shipping_total"=>0, "tax"=>"$3.00", "occupancy_tax"=>nil, "tip"=>nil, "goods_customs_duty"=>"$0.00", "tax_total"=>3.0, "partial_refund"=>nil, "gift_wrapped_item_count_display"=>"(0)", "gift_wrap_fee_total"=>"$0.00", "total"=>"$52.99", "raw_total"=>52.99, "currency_code"=>"$", "collected"=>0, "collected_cash"=>0, "collected_bucks"=>0, "collected_exchange

Re: How do you use the rex command to calculate a value?

Danielle2018V — Tue, 29 Sep 2020 20:06:46 GMT

I tried this also and got the same result, Is the rex command the most appropriate solution to gather a subtotal of the total field?

Below sample log data

$0.00", "raw_discount"=>0, "shipping_cost"=>"$0.00", "shipping_total"=>0, "tax"=>"$3.00", "occupancy_tax"=>nil, "tip"=>nil, "goods_customs_duty"=>"$0.00", "tax_total"=>3.0, "partial_refund"=>nil, "gift_wrapped_item_count_display"=>"(0)", "gift_wrap_fee_total"=>"$0.00", "total"=>"$52.99", "raw_total"=>52.99, "currency_code"=>"$", "collected"=>0, "collected_cash"=>0, "collected_bucks"=>0, "collected_exchange

Re: How do you use the rex command to calculate a value?

Danielle2018V — Fri, 22 Jun 2018 16:47:05 GMT

I was able to get it to work with a combination of all answers above.

rex field=_raw "total\"=>\"-\$(?[^\"]+)\""