Solved: Get the number from the log with ":" Symbol

karthi25 · ‎05-04-2018

I have a log which looks like follows:

||pool-2-thread-1|| INFO  com.tmobile.sfdc.reports.service.OpportunityService - OPPORTUNITY_JOB: List size: 41 

||pool-2-thread-1|| INFO  com.tmobile.sfdc.reports.service.OpportunityService - OPPORTUNITY_JOB: List size: 140

I want to get the sum of the numbers(140+41+..), And I have tried the below query

base search| rex field=_raw "List size\"\:\"(?<size>[^\"]+)" | stats sum(size)

But it returns nothing. Can anyone please suggest me what am doing wrong.

elliotproebstel · ‎05-04-2018

How about this:

base search
| rex field=_raw "List size:\s(?<size>\d+)"
| stats sum(size)

Here's a working demo based on your data above:
https://regex101.com/r/LifiVU/1/

View solution in original post

elliotproebstel · ‎05-04-2018

How about this:

base search
| rex field=_raw "List size:\s(?<size>\d+)"
| stats sum(size)

Here's a working demo based on your data above:
https://regex101.com/r/LifiVU/1/

karthi25 · ‎05-07-2018

@elliotproebstel how can change the above query if it is the date. For eg: if I contains the log like
||pool-2-thread-1|| INFO com.tmobile.sfdc.reports.batch.listener.OrderJobListener - ORDER_JOB: ACTIVE at START_TIME: 2018-05-07T06:04:46.087Z

and I want to get the value "2018-05-07T06:04:46.087Z"

elliotproebstel · ‎05-07-2018

How about this:

base search
| rex field=_raw "(?<date>[^ ]+$)"

Here's a demo:
https://regex101.com/r/Y06SsX/1

This regex is collecting everything between the last space and the end of the line and assigning it to a field called date.

Get the number from the log with ":" Symbol

Wondering How to Build Resiliency in the Cloud?

Updated Data Management and AWS GDI Inventory in Splunk Observability

Introducing the Splunk Community Dashboard Challenge!