topic Re: How to extract an integer value after colon and display results using timechart? in Splunk Search

How to extract an integer value after colon and display results using timechart?

hishamjan — Mon, 15 Feb 2021 09:05:45 GMT

NOTICE: <script>: [3473090307|3167225225](SENDER[10.65.197.2:5073]): Current Active Inbound Calls: NOTICE: <script>: [3218481898|03116204181](SENDER[192.168.15.11:7060]): Current Active Inbound Calls: 8

I want to extract the integer value after the colon (:) i.e. 0 and 8 and then display these results as timechart.

I'm writing it as:

host=Kamailio NON=Active
| eval totalCount=mvcount(NON)
| timechart span=300s count by totalCount

p.s: NON is a field with multiple other values and Active is one of them which contains those integers which I want to display.

Any degree of help would be appreciated.

Re: How to extract an integer value after colon and display results using timechart?

ITWhisperer — Mon, 15 Feb 2021 10:09:44 GMT

It Is not overly clear what you events look like or which part of the event you are trying to extract. However, assuming it is a number after "Calls: " then this might help

| rex "Calls: {?<calls>\d+)"

Re: How to extract an integer value after colon and display results using timechart?

hishamjan — Mon, 15 Feb 2021 12:28:50 GMT

Hi, thanks for the reply.

To answer your question, it is indeed a number after the " Calls: "

I tried this solution but it does seem to search from the entire event and not from what I've typed in the search string:

CAIB="Current Active Inbound Calls:" | rex field=CAIB ".*=(?<number>\d+)\D" | timechart span=30s count by max(number)

where CAIB is a field that I extracted myself and number is a variable I used to store the values

Re: How to extract an integer value after colon and display results using timechart?

ITWhisperer — Mon, 15 Feb 2021 12:34:34 GMT

How have you extracted CAIB?

Re: How to extract an integer value after colon and display results using timechart?

hishamjan — Mon, 15 Feb 2021 12:55:01 GMT

I did that manually, using the + Extract New Fields (ss attached):

Re: How to extract an integer value after colon and display results using timechart?

ITWhisperer — Mon, 15 Feb 2021 13:11:13 GMT

If you have already extracted CAIB, what values do you have in the field?

Re: How to extract an integer value after colon and display results using timechart?

hishamjan — Mon, 15 Feb 2021 13:22:16 GMT

these are the fields in it.

Re: How to extract an integer value after colon and display results using timechart?

ITWhisperer — Mon, 15 Feb 2021 14:02:12 GMT

As you can see, the value you have in CAIB is "Current Active Inbound Calls:" which is why the rex does not find any numbers when you specify field CAIB, and why the rex without specifying the field (which will work on _raw) does find the values you are after.