topic Re: Regex Money in Splunk Search

Regex Money

rpascua — Tue, 25 Mar 2014 19:46:29 GMT

My Regex:

| rex "\sof (?<Name>[A-Za-z0-9_]+)" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addtotals Withdrawal "\s*withdrawal \((?<Withdrawal>\d+)"

The problem:

If John took money out three times within a 24-hour period, using the REGEX above, I would have a 3-liner output like below...

John Deposit 0 Withdrawal 50 Total Withdrawal 50

John Deposit 0 Withdrawal 35 Total Withdrawal 35

John Deposit 0 Withdrawal 25 Total Withdrawal 25

But all I need is a one-liner like so:

John Deposit 0 Withdrawal 110 Total Withdrawal 110

I tried multiple combinations on that last line of code (addtotals) but keep coming up empty. Any assistance would be much appreciated.

Re: Regex Money

martin_mueller — Tue, 25 Mar 2014 20:06:19 GMT

You're trying to calculate the sum of deposits and withdrawals per person? Append this:

... | stats sum(Deposit) sum(Withdrawal) by Name

Re: Regex Money

rpascua — Tue, 25 Mar 2014 20:28:28 GMT

Yes, I tried "stats" as well. But instead of typing each name (ie. John, Stacey, Logan) I'm trying to parse out an entire list of names along with the number of withdrawals they made within the last 24 hours.

I'm trying to avoid doing this for each names:

Stacey " withdrawal" | rex "\sof (?[A-Za-z0-9_]+)" | rex ........ and so on

Re: Regex Money

martin_mueller — Tue, 25 Mar 2014 20:30:13 GMT

That's what the by Name is for.

Re: Regex Money

rpascua — Tue, 25 Mar 2014 20:40:22 GMT

Oh.. duh. It works! Thank you Splunk God!

Re: Regex Money

marcoscala — Tue, 01 Apr 2014 23:41:09 GMT

And remember that you can write a single "Rex" matching all the different fields you need to extract, if of course are ALL present in the same event...

Marco