Solved: Help extracting from L15= so

rhugo · ‎10-29-2019

Please help me extract NGN4000000 from L15= so I can have a field of
TotalCash_In_ATM=NGN4000000.

2019-10-29 12:58:04.040 8 ResourceMgr ->KalReceiptPrinterImpl.Print( "GenericForm_ReceiptPrinter", "L00=<Daily Service - Final Cassettes Counts>,L01=<Cass id LCU01 LCU02 LCU03 LCU04>,L02=<Currency NGN NGN NGN NGN>,L03=<Denom 500 500 500 500>,L04=<Init count 2000 2000 2000 2000>,L05=<Left cass 1999 1999 1999 1999>,L06=<Reject 1 1 1 1>,L07=<Left in ATM 2000 2000 2000 2000>,L08=<Dispensed 0 0 0 0>,L09=<Recycled 0 0 0 0>,L10=<Retract 0 0 0 0>,L11=<Adjustment 0 0 0 0>,L12=<PwrF adjust 0 0 0 0>,L13=<>,L14=<Retract Events: 0>,L15=<Total Cash in ATM: NGN4000000>,L16=<>,L17=<>,L18=<SIGNATURE: ....................>,L19=<BRANCH: 0029 some location >,L20=<ATM Id: 005 29/10/19 12:58 Page 02>,", 10000, True )

woodcock · ‎10-29-2019

Like this:

... | rex "<Total Cash in ATM:\s*(?<TotalCash_In_ATM>[^>]+)"

View solution in original post

rhugo · ‎10-30-2019

Okay, I think I got it now
... | rex "[^>]+)" | eval TotalCash_In_ATM = trim(replace(TotalCash_In_ATM, "NGN", ""))

rhugo · ‎10-30-2019

What if i want to just extract 4000000 with out the NGN in front of it, please how do i achieve that?

rhugo · ‎10-30-2019

Thank you. It worked.

rhugo · ‎10-30-2019

What if i want to just extract 4000000 with out the NGN in front of it, please how do i achieve that?

woodcock · ‎10-29-2019

Like this:

... | rex "<Total Cash in ATM:\s*(?<TotalCash_In_ATM>[^>]+)"

Help extracting from L15= so

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Continue Your Federation Journey: Join Session 3 of the Bootcamp Series

Announcing Modern Navigation: A New Era of Splunk User Experience

Casting Call: Compete in Cyber Games

Join the Conversation