Solved: Getting data in called "SUM(AMOUNT)"

nc-mvw · ‎09-01-2020

I'm using Splunk for the first time, and I have an sql query giving the following output:

2020-08-31 00:17:34.608, EMPTY_DATE="2020-12-03 00:00:00.0", ANTAL="2", SUM(AMOUNT)="2533"

The "SUM(AMOUNT)" is not saved under a name/alias (which I should have done retrospectively). However, now I don't know how to get the data out.

I've tried to the following (but I suspect Splunk get's confused with a name which is also a function):

| table ANTAL "SUM(AMOUNT)"

Is there a way to get the number out without going back and adding a name/alias to the sql?

rnowitzki · ‎09-01-2020

Hi @nc-mvw,

You could work with an regular expression to get the value.

| rex  "SUM\(AMOUNT\)=\"(?<sum_amount>\d+)\""

Now the valie is in the field sum_amount.

You could add a field extraction with the same RegEx, so don't have to use the rex command each time.

Either with the gui or directly in the .conf files.

BR
Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

nc-mvw · ‎09-01-2020

Great - works like a charm. Thank you very much!

rnowitzki · ‎09-01-2020

Hi @nc-mvw,

You could work with an regular expression to get the value.

| rex  "SUM\(AMOUNT\)=\"(?<sum_amount>\d+)\""

Now the valie is in the field sum_amount.

You could add a field extraction with the same RegEx, so don't have to use the rex command each time.

Either with the gui or directly in the .conf files.

BR
Ralph

--
Karma and/or Solution tagging appreciated.

Getting data in called "SUM(AMOUNT)"

field extraction

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?