Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting data in called "SUM(AMOUNT)"

nc-mvw
Engager
‎09-01-2020 03:50 AM

I'm using Splunk for the first time, and I have an sql query giving the following output:

2020-08-31 00:17:34.608, EMPTY_DATE="2020-12-03 00:00:00.0", ANTAL="2", SUM(AMOUNT)="2533"

 

The "SUM(AMOUNT)" is not saved under a name/alias (which I should have done retrospectively). However, now I don't know how to get the data out.

I've tried to the following (but I suspect Splunk get's confused with a name which is also a function):

| table  ANTAL "SUM(AMOUNT)"

Is there a way to get the number out without going back and adding a name/alias to the sql?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rnowitzki
Builder
‎09-01-2020 04:06 AM

Hi @nc-mvw,

You could work with an regular expression to get the value.

| rex  "SUM\(AMOUNT\)=\"(?<sum_amount>\d+)\""


Now the valie is in the field sum_amount.

You could add a field extraction with the same RegEx, so don't have to use the rex command each time.

Either with the gui or directly in the .conf files. 

BR
Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

Reply
Solved! Jump to solution

nc-mvw
Engager
‎09-01-2020 05:32 AM

Great - works like a charm. Thank you very much!

0 Karma
Reply
Solved! Jump to solution
Solution

rnowitzki
Builder
‎09-01-2020 04:06 AM

Hi @nc-mvw,

You could work with an regular expression to get the value.

| rex  "SUM\(AMOUNT\)=\"(?<sum_amount>\d+)\""


Now the valie is in the field sum_amount.

You could add a field extraction with the same RegEx, so don't have to use the rex command each time.

Either with the gui or directly in the .conf files. 

BR
Ralph

--
Karma and/or Solution tagging appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...