Hi everyone, I'm new here and having a problem filtering of numbers from a message.
message: Generated non direct deposit usages: 4
I just want to get the number.
the number can be of any length.
Who can hel
Thx
Hi
You could try e.g.
... <YOUR SPL HERE>
| rex "message: Generated non direct deposit usages: (?<numberOfUsage>\d+)"
r. Ismo
Here are a few examples that I have displayed as a table in Splunk,
How can I now display the numbers in a separate column
........ message="Generated Direct Deposit usages:*" | table datetime.date message
datetime.date message
2021-12-10 11:26:22.973375 Generated Direct Deposit usages: 0
2021-12-10 14:27:53.202609 Generated Direct Deposit usages: 0
2021-12-10 12:24:12.388002 Generated Direct Deposit usages: 0
2021-12-10 12:24:12.343508 Generated Direct Deposit usages: 0
2021-12-10 14:28:53.920456 Generated Direct Deposit usages: 4
2021-12-10 14:27:53.162497 Generated Direct Deposit usages: 0
2021-12-10 11:26:23.004602 Generated Direct Deposit usages: 0
2021-12-10 14:04:05.352226 Generated Direct Deposit usages: 22
Please try this
rex field=message "Generated non direct deposit usages: (?<numberOfUsage>\d+)"
Hello
sorry that's how it goes of course.
I get many of these messages during the day, but with different numbers. I would like to list these numbers one below the other and unfortunately that does not work.
thank you
Sorry, but I don't really understand your issue. If you have same string with different numbers then previous example will get those. If your string parts are different then you must modify that rex or add additional rex statements on your SPL. Unfortunately we cannot help you without more examples.
r. Ismo
Unfortunately it does not work
in the output or do I have to pay attention to something else in the output?
Hi
it should work if you input is based on your example.
| makeresults
| eval _raw = "message: Generated non direct deposit usages: 4"
``` previous prepare test data```
| rex "message: Generated non direct deposit usages: (?<numberOfUsage>\d+)"
| table numberOfUsage
That gives numberOfUsage = 4
r. Ismo
Hi
You could try e.g.
... <YOUR SPL HERE>
| rex "message: Generated non direct deposit usages: (?<numberOfUsage>\d+)"
r. Ismo