https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/578017#M201433 <P>Sorry, but I don't really understand your issue. If you have same string with different numbers then previous example will get those. If your string parts are different then you must modify that rex or add additional rex statements on your SPL. Unfortunately we cannot help you without more examples.</P><P>r. Ismo</P> Fri, 10 Dec 2021 14:00:34 GMT isoutamo 2021-12-10T14:00:34Z https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/577982#M201410 <PRE><SPAN class="">Hi everyone, I'm new here and having a problem filtering of numbers from a message. <STRONG>message: Generated non direct deposit usages: 4</STRONG> I just want to get the number. the number can be of any length.<BR /><BR />Who can hel<BR />Thx</SPAN></PRE> Fri, 10 Dec 2021 07:51:11 GMT https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/577982#M201410 radi09 2021-12-10T07:51:11Z https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/577983#M201411 <P>Hi</P><P>You could try e.g.</P><LI-CODE lang="markup">... &lt;YOUR SPL HERE&gt; | rex "message: Generated non direct deposit usages: (?&lt;numberOfUsage&gt;\d+)"</LI-CODE><P>r. Ismo&nbsp;</P> Fri, 10 Dec 2021 08:02:02 GMT https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/577983#M201411 isoutamo 2021-12-10T08:02:02Z https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/577988#M201415 <PRE><SPAN class="">Unfortunately it does not work in the output or do I have to pay attention to something else in the output?</SPAN></PRE> Fri, 10 Dec 2021 09:06:15 GMT https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/577988#M201415 radi09 2021-12-10T09:06:15Z https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/577989#M201416 <P>Hi</P><P>it should work if you input is based on your example.</P><LI-CODE lang="markup">| makeresults | eval _raw = "message: Generated non direct deposit usages: 4" ``` previous prepare test data``` | rex "message: Generated non direct deposit usages: (?&lt;numberOfUsage&gt;\d+)" | table numberOfUsage</LI-CODE><P>That gives numberOfUsage = 4</P><P>r. Ismo&nbsp;</P> Fri, 10 Dec 2021 09:27:17 GMT https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/577989#M201416 isoutamo 2021-12-10T09:27:17Z https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/577994#M201420 <PRE><SPAN class="">Hello <BR />sorry that's how it goes of course. I get many of these messages during the day, but with different numbers. I would like to list these numbers one below the other and unfortunately that does not work. thank you</SPAN></PRE> Fri, 10 Dec 2021 10:18:20 GMT https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/577994#M201420 radi09 2021-12-10T10:18:20Z https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/578017#M201433 <P>Sorry, but I don't really understand your issue. If you have same string with different numbers then previous example will get those. If your string parts are different then you must modify that rex or add additional rex statements on your SPL. Unfortunately we cannot help you without more examples.</P><P>r. Ismo</P> Fri, 10 Dec 2021 14:00:34 GMT https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/578017#M201433 isoutamo 2021-12-10T14:00:34Z https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/578022#M201436 <PRE><SPAN class="">Here are a few examples that I have displayed as a table in Splunk,<BR />How can I now display the numbers in a separate column<BR /><BR /><BR />........ message="Generated Direct Deposit usages:*" | table datetime.date message<BR /><BR /></SPAN></PRE><P>&nbsp;</P><P>datetime.date&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; message</P><P>2021-12-10 11:26:22.973375&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Generated Direct Deposit usages: 0<BR />2021-12-10 14:27:53.202609&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Generated Direct Deposit usages: 0<BR />2021-12-10 12:24:12.388002&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Generated Direct Deposit usages: 0<BR />2021-12-10 12:24:12.343508&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Generated Direct Deposit usages: 0<BR />2021-12-10 14:28:53.920456&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Generated Direct Deposit usages: 4<BR />2021-12-10 14:27:53.162497&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Generated Direct Deposit usages: 0<BR />2021-12-10 11:26:23.004602&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Generated Direct Deposit usages: 0<BR />2021-12-10 14:04:05.352226&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;Generated Direct Deposit usages: 22</P><PRE><SPAN class=""><BR /><BR /><BR /><BR /><BR /><BR /><BR /></SPAN></PRE><P>&nbsp;</P> Fri, 10 Dec 2021 14:30:21 GMT https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/578022#M201436 radi09 2021-12-10T14:30:21Z https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/578048#M201453 <P>Please try this&nbsp;</P><LI-CODE lang="markup">rex field=message "Generated non direct deposit usages: (?&lt;numberOfUsage&gt;\d+)"</LI-CODE> Fri, 10 Dec 2021 17:49:46 GMT https://community.splunk.com/t5/Splunk-Search/Fields-extract-values-display/m-p/578048#M201453 isoutamo 2021-12-10T17:49:46Z