Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How can I Rex to match until a string
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi folks,
I'm new to regex and am struggling to extract a number from a field. I basically need the amount extracted from the following;
Date Name Amount Curr Type Status
------------------- -------------------- ---------- ---- ------------ ------
07.05.2016 22:58:09 Person's Name 5.00 GBP Sale Okay
It is the variable length text before the number that I am struggling with.
Please can you suggest a way in which I can extract just the 5.00 in the above example?
Thanks in advance 🙂
Matt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this but ignoring the top 3 lines that I used to replicate your event.
Option 1 (from your raw event):
| stats count
| fields - count
| eval _raw = "07.05.2016 22:58:09 Person's Name 5.00 GBP Sale Okay"
| rex field=_raw "(?<Amount_num>\d+\.\d{2}) GBP"
Option 2 (assuming there's a field named Amount as indicated above):
| stats count
| fields - count
| eval Amount = "5.00 GBP"
| rex field=Amount "(?<Amount_num>\d+\.\d{2})"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this but ignoring the top 3 lines that I used to replicate your event.
Option 1 (from your raw event):
| stats count
| fields - count
| eval _raw = "07.05.2016 22:58:09 Person's Name 5.00 GBP Sale Okay"
| rex field=_raw "(?<Amount_num>\d+\.\d{2}) GBP"
Option 2 (assuming there's a field named Amount as indicated above):
| stats count
| fields - count
| eval Amount = "5.00 GBP"
| rex field=Amount "(?<Amount_num>\d+\.\d{2})"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Many thanks for the prompt reply Javiergn, It shows I am new to this because I copied and pasted from one of my records and the formatting was lost. There are actually many spaces between the field sections. I have now found the code sample feature 😉 so the data should look like this;
Date Name Amount Curr Type Status
------------------- -------------------- ---------- ---- ------------ ------
07.05.2016 22:58:09 Person's name 5.00 GBP Sale Okay
The rex you gave did not return anything. Is this due to the extra spaces?
Thanks again!
Matt
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi again, your method worked great (minor error on my part) so I have exactly what I need.
Many thanks, you have really helped me out!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, no worries. Happy to help.
If you are happy with the response please mark it as answered so that others can benefit from it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
done 🙂 TY
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
[Puzzles] Solve, Learn, Repeat: Matching cron expressions
Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass
May 2026 Splunk Expert Sessions: Security & Observability
