Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Extract and/or add numbers from a string

apoorvaaccount
New Member
‎02-28-2024 09:19 AM

I have string field:

provTimes: a=10; b=15; c=10;

it basically has semicolon separated sub-fields in the value. Each sub-field has a number on right hand side. 

These fields are dynamic, can be a,v,e,f in 1 event and z,y in another event. Ignoring the sub field names, I'm only concerned with the numbers they have. I just want to add them all.

 Example

 

provTimes: a=10; b=15; c=10;  

result = 35

 

provTimes: x=10; b=5;

result = 15

Labels (4)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎02-28-2024 02:56 PM

Or, in the old fashioned extract (aka kv) and foreach😉,

 

| rename _raw AS temp, provTimes AS _raw
| rex mode=sed "s/\S+=/provTimes_&/g"
| kv
| foreach provTimes_*
    [eval sum = mvappend(sum, '<<FIELD>>')]
| eval sum = sum(sum)
``` below are cleanups, only if you want to restore world order ```
| fields - provTimes_*
| rex mode=sed "s/provTimes_//g"
| rename _raw AS provTimes, temp AS _raw

 

Here is an emulation you can play with and compare with real data

 

| makeresults format=csv data="provTimes
a=10; b=15; c=10;
x=10; b=5;"
``` data emulation above ```

 

Output from this emulation is

provTimessum
a=10; b=15; c=10;35
x=10; b=5;15
Tags (2)
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎02-28-2024 10:07 AM

If you can install the mvstats app (https://splunkbase.splunk.com/app/5198) then this will do it.

| rex max_match=0 "provTimes: \w+=(?<provTimes>\d+);"
| mvstats sum provTimes as result

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...