Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Getting data in called "SUM(AMOUNT)"

nc-mvw
Engager
‎09-01-2020 03:50 AM

I'm using Splunk for the first time, and I have an sql query giving the following output:

2020-08-31 00:17:34.608, EMPTY_DATE="2020-12-03 00:00:00.0", ANTAL="2", SUM(AMOUNT)="2533"

 

The "SUM(AMOUNT)" is not saved under a name/alias (which I should have done retrospectively). However, now I don't know how to get the data out.

I've tried to the following (but I suspect Splunk get's confused with a name which is also a function):

| table  ANTAL "SUM(AMOUNT)"

Is there a way to get the number out without going back and adding a name/alias to the sql?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rnowitzki
Builder
‎09-01-2020 04:06 AM

Hi @nc-mvw,

You could work with an regular expression to get the value.

| rex  "SUM\(AMOUNT\)=\"(?<sum_amount>\d+)\""


Now the valie is in the field sum_amount.

You could add a field extraction with the same RegEx, so don't have to use the rex command each time.

Either with the gui or directly in the .conf files. 

BR
Ralph

--
Karma and/or Solution tagging appreciated.

View solution in original post

Reply
Solved! Jump to solution

nc-mvw
Engager
‎09-01-2020 05:32 AM

Great - works like a charm. Thank you very much!

0 Karma
Reply
Solved! Jump to solution
Solution

rnowitzki
Builder
‎09-01-2020 04:06 AM

Hi @nc-mvw,

You could work with an regular expression to get the value.

| rex  "SUM\(AMOUNT\)=\"(?<sum_amount>\d+)\""


Now the valie is in the field sum_amount.

You could add a field extraction with the same RegEx, so don't have to use the rex command each time.

Either with the gui or directly in the .conf files. 

BR
Ralph

--
Karma and/or Solution tagging appreciated.
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Now On Demand Whether you're managing complex deployments or looking to future-proof your data ...

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...