Splunk Search

Getting data in called "SUM(AMOUNT)"

nc-mvw
Engager

I'm using Splunk for the first time, and I have an sql query giving the following output:

2020-08-31 00:17:34.608, EMPTY_DATE="2020-12-03 00:00:00.0", ANTAL="2", SUM(AMOUNT)="2533"

 

The "SUM(AMOUNT)" is not saved under a name/alias (which I should have done retrospectively). However, now I don't know how to get the data out.

I've tried to the following (but I suspect Splunk get's confused with a name which is also a function):

| table  ANTAL "SUM(AMOUNT)"

Is there a way to get the number out without going back and adding a name/alias to the sql?

Labels (1)
0 Karma
1 Solution

rnowitzki
Builder

Hi @nc-mvw,

You could work with an regular expression to get the value.

| rex  "SUM\(AMOUNT\)=\"(?<sum_amount>\d+)\""


Now the valie is in the field sum_amount.

You could add a field extraction with the same RegEx, so don't have to use the rex command each time.

Either with the gui or directly in the .conf files. 

BR
Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

nc-mvw
Engager

Great - works like a charm. Thank you very much!

0 Karma

rnowitzki
Builder

Hi @nc-mvw,

You could work with an regular expression to get the value.

| rex  "SUM\(AMOUNT\)=\"(?<sum_amount>\d+)\""


Now the valie is in the field sum_amount.

You could add a field extraction with the same RegEx, so don't have to use the rex command each time.

Either with the gui or directly in the .conf files. 

BR
Ralph

--
Karma and/or Solution tagging appreciated.
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...