Splunk Search
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on a REX extract - and count

LizAndy123
Path Finder
‎01-27-2025 12:02 PM

So I have an Index

Index= xxxxxx "Stopping iteration"

I have the rex for getting the unique Id

Event Sample : Stopping iteration - 1900000000: 2000 Files accepted

so my current REX is rex "Stopping\siteration[\s\-]+(?<stop_reg_id>[^:\s]+)" and it extracts the 1900000000

I want to extract the 2000 number and then do a count for 24 hours.

Any help would be great

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2025 12:37 PM

One way is with addcoltotals

| rex "..."
``` more query stuff```
| addcoltotals file_count

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2025 12:10 PM

It would help to know what you've tried so far, but getting the other field is just a matter of extending the regex.

"Stopping\siteration[\s\-]+(?<stop_reg_id>[^:\s]+):\s*(?<file_count>\d+)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

LizAndy123
Path Finder
‎01-27-2025 12:24 PM

Thanks

This helps extracting the number - how do I do the sum at the end ?

in 24 hours I could have 96 * 2000 file uploads

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2025 12:37 PM

One way is with addcoltotals

| rex "..."
``` more query stuff```
| addcoltotals file_count

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

LizAndy123
Path Finder
‎01-27-2025 12:41 PM

Hey Rich that works and I get the total at the bottom but it shows every single column also.

Example I had 98 Events and total was 157,000 but it shows every single event and the columns

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2025 01:58 PM

If all you want is a single integer that is the total of all file_count values then stats is the way to go.

| rex "..."
``` more query stuff ```
| stats sum(file_count) as Total_Count

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

LizAndy123
Path Finder
‎01-27-2025 12:08 PM

So basically I need the total number of files I uploaded in a 24 hour period once I get that figure extracted

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing the Expansion of the Splunk Academic Alliance Program

The Splunk Community is more than just an online forum — it’s a network of passionate users, administrators, ...

Learn Splunk Insider Insights, Do More With Gen AI, & Find 20+ New Use Cases You Can ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Buttercup Games: Further Dashboarding Techniques (Part 7)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top