topic Re: Extract a number from event message field in Splunk Search

Extract a number from event message field

codebased — Wed, 14 Jun 2017 05:18:38 GMT

Hi Guys,

I have been trying to extract the number at the end of EVENT_MESSAGE field.

Text sample:
SERVER=SERVERNAME; EVENT_MESSAGE=Number of Offers ready to send: 6

I am using the following query:

rex field=EVENT_MESSAGE "Number of Offers ready to send: (?<offercount>\d+$)" | table offercount

However I am not getting any result; the offercount result is empty.

Re: Extract a number from event message field

dineshraj9 — Wed, 14 Jun 2017 06:06:58 GMT

Try this

rex field=EVENT_MESSAGE "Number of Offers ready to send: (?<offercount>\d+)" | table offercount

Re: Extract a number from event message field

codebased — Wed, 14 Jun 2017 06:53:37 GMT

Thank you @dineshraj9. I was actually using ? but somehow it got removed from my original question. I have copied your snippet as it is but it is not working :(. The offercount is all empty.

Re: Extract a number from event message field

dineshraj9 — Wed, 14 Jun 2017 06:57:24 GMT

Can you paste the exact value in the EVENT_MESSAGE field? when I tested with the sample provided by you it worked.

| makeresults | eval EVENT_MESSAGE="Number of Offers ready to send: 6" | rex field=EVENT_MESSAGE "\D+(?<offercount>\d+)" | table offercount

You could also try -

<your search> | rex field=EVENT_MESSAGE "\D+(?<offercount>\d+)" | table offercount

Re: Extract a number from event message field

codebased — Tue, 29 Sep 2020 14:27:52 GMT

This is what I have tried:
APP_PATH="/Apiv0" EVENT_MESSAGE=Number of Offers ready to send | rex field=EVENT_MESSAGE "\D+(?\d+)" | table offercount

My splunk log is:

2017-06-15 03:00:12.8818; LOG_LEVEL=Info; SOURCE=JobRepository; APP_PATH=/Apiv0; VERSION=0.1.0.90; CORRELATION_IDENTIFIER=fe800697-df6a-4ce6-9438-27d106ab0005; SERVER=XXXX; EVENT_MESSAGE=Number of Offers ready to send: 6

The result is:

Events (14)
- ...
Statistics (14)
- Empty List

Re: Extract a number from event message field

DalJeanis — Thu, 15 Jun 2017 02:25:17 GMT

Just for grins, try this -

| rex field=_raw "Number of Offers ready to send: (?<offercount>\d+)"

If it works, then EVENT_MESSAGE is probably somehow not an extracted field.

Re: Extract a number from event message field

yuanliu — Tue, 29 Sep 2020 14:30:26 GMT

Unless you have some customised field extraction for EVENT_MESSAGE, Splunk will automatically assign "Number" to EVENT_MESSAGE instead of "Number of Offers ready to send: 6" that @codebased seems to expect. The above should work. (field=_raw is assumed by default so no need to specify.)

Re: Extract a number from event message field

codebased — Thu, 15 Jun 2017 04:53:08 GMT

Indeed it is not a field!

Re: Extract a number from event message field

codebased — Thu, 15 Jun 2017 04:53:24 GMT

Thank you so much for your help. It is resolved. I had to use _raw.

Re: Extract a number from event message field

DalJeanis — Thu, 15 Jun 2017 14:23:45 GMT

@codebased - I suspected so.

@yuanliu is correct that field=_raw is default, but on these forums I like to be explicit, in case a reader doesn't understand that the rex is operating on some specific field... like the one that in this case didn't exist...