Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help on a REX extract - and count

LizAndy123
Path Finder
‎01-27-2025 12:02 PM

So I have an Index

Index= xxxxxx "Stopping iteration"

I have the rex for getting the unique Id

Event Sample : Stopping iteration - 1900000000: 2000 Files accepted

so my current REX is rex "Stopping\siteration[\s\-]+(?<stop_reg_id>[^:\s]+)" and it extracts the 1900000000

I want to extract the 2000 number and then do a count for 24 hours.

Any help would be great

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2025 12:37 PM

One way is with addcoltotals

| rex "..."
``` more query stuff```
| addcoltotals file_count

 

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2025 12:10 PM

It would help to know what you've tried so far, but getting the other field is just a matter of extending the regex.

"Stopping\siteration[\s\-]+(?<stop_reg_id>[^:\s]+):\s*(?<file_count>\d+)"
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

LizAndy123
Path Finder
‎01-27-2025 12:24 PM

Thanks

This helps extracting the number - how do I do the sum at the end ?

in 24 hours I could have 96 * 2000 file uploads

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2025 12:37 PM

One way is with addcoltotals

| rex "..."
``` more query stuff```
| addcoltotals file_count

 

---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

LizAndy123
Path Finder
‎01-27-2025 12:41 PM

Hey Rich that works and I get the total at the bottom but it shows every single column also.

Example I had 98 Events and total was 157,000 but it shows every single event and the columns

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎01-27-2025 01:58 PM

If all you want is a single integer that is the total of all file_count values then stats is the way to go.

| rex "..."
``` more query stuff ```
| stats sum(file_count) as Total_Count

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

LizAndy123
Path Finder
‎01-27-2025 12:08 PM

So basically I need the total number of files I uploaded in a 24 hour period once I get that figure extracted

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability as Code: From Zero to Dashboard

For the details on what Self-Service Observability and Observability as Code is, we have some awesome content ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...