Splunk Search

## Field Extraction And Evaluation

Observer

From the screenshot, i would like to achieve the below;

LCU04 = 500 x 00000
LCU03 = 500 x 01985
LCU02 = 500 x 01985
LCU01 = 500 x 01985

Then, LCU = (LCU04 + LCU03 + LCU02 + LCU01)

Thank you.

Like this:

``````| makeresults
| eval raw="2019-12-04 11:31:42.027 8 ResourceMgr   ATM 11:31:42 LCU Lcu04 500   00 00000   {journal}:::2019-12-04 11:31:42.024 8 ResourceMgr   ATM 11:31:42 LCU Lcu03 500   01 01985   {journal}:::2019-12-04 11:31:42.020 8 ResourceMgr   ATM 11:31:42 LCU Lcu02 500   01 01985   {journal}:::2019-12-04 11:31:42.017 8 ResourceMgr   ATM 11:31:42 LCU Lcu01 500   00 01985   {journal}"
| makemv delim=":::" raw
| mvexpand raw
| rename raw AS _raw
| eval _time = strptime(_raw, "%Y-%m-%d %H:%M:%S.%3N")
| sort 0 - _time

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "LCU\s+(?<LCU_key>\S+)\s+(?<LCU_base>\d+)\s+(?<LCU_stage>\d+)\s+(?<LCU_multiplier>\d+)"
| eval {LCU_key} = LCU_base * LCU_multiplier
| filldown Lcu*
| eval LCU_total = Lcu01 + Lcu02 + Lcu03 + Lcu04
| where isnotnull(LCU_total)
| table LCU_total *
``````
NEVER post images without also posting the text, otherwise WE have to type it in to help you.

Thank you. This helped.

