Solved: How do you use the rex command to calculate a valu...

Danielle2018V · ‎06-20-2018

Hello,

I'm new to Splunk and I have the following field and want to grab the subtotal of the field total using the rex_raw field.

This is the field in the log file

 "total"=>"$37.05",

This is the code I wrote any idea why it's not working?

index="test" "Splunktest" "Refund succeeded" "current_cty_domain : US"  | rex  field=_raw "total\"=>\"$\"(?<refund_amount>.*)\"" | stats sum(refund_amount) as amount_refunded

darrenfuller · ‎06-20-2018

Hey..

You didn't make any fields in your regular expression. For rex to work you need to have a regular expression with at least one named capture group like: (?pattern)

try something like:

index="test" "Splunktest" "Refund succeeded" "current_cty_domain : US" 
| rex field=_raw "total\"=>\"$(?<refund_amount>[^\"]+)\"" 
| stats sum(refund_amount) as amount_refunded

View solution in original post

Danielle2018V · ‎06-22-2018

I was able to get it to work with a combination of all answers above.

rex field=_raw "total\"=>\"-\$(?[^\"]+)\""

somesoni2 · ‎06-20-2018

Try this

index="test" "Splunktest" "Refund succeeded" "current_cty_domain : US" 
| rex  field=_raw "total\"\=\>\"\$(?<refund_amount>.*)\""
 | stats sum(refund_amount) as amount_refunded

See this runanywhere sample search

| gentimes start=-1 | eval _raw="Somes other test  \"total\"=>\"$37.05\", more text" | table _raw | rex  field=_raw "total\"\=\>\"\$(?<refund_amount>.*)\""

Danielle2018V · ‎06-20-2018

I tried this also and got the same result, Is the rex command the most appropriate solution to gather a subtotal of the total field?

Below sample log data

$0.00", "raw_discount"=>0, "shipping_cost"=>"$0.00", "shipping_total"=>0, "tax"=>"$3.00", "occupancy_tax"=>nil, "tip"=>nil, "goods_customs_duty"=>"$0.00", "tax_total"=>3.0, "partial_refund"=>nil, "gift_wrapped_item_count_display"=>"(0)", "gift_wrap_fee_total"=>"$0.00", "total"=>"$52.99", "raw_total"=>52.99, "currency_code"=>"$", "collected"=>0, "collected_cash"=>0, "collected_bucks"=>0, "collected_exchange

ddrillic · ‎06-20-2018

Something like - "total"=>\$(?<sum>.*)

alt text

darrenfuller · ‎06-20-2018

Hey..

You didn't make any fields in your regular expression. For rex to work you need to have a regular expression with at least one named capture group like: (?pattern)

try something like:

index="test" "Splunktest" "Refund succeeded" "current_cty_domain : US" 
| rex field=_raw "total\"=>\"$(?<refund_amount>[^\"]+)\"" 
| stats sum(refund_amount) as amount_refunded

Danielle2018V · ‎06-20-2018

Thanks everyone for the speedy responses. I tried all three suggestions but still received the same error "no results found". Below is a sample of the log file. You can see that the total is $52.99 but still no results were found.Is the rex command the most appropriate solution to gather a subtotal of the total field?

Thanks

"$0.00", "raw_discount"=>0, "shipping_cost"=>"$0.00", "shipping_total"=>0, "tax"=>"$3.00", "occupancy_tax"=>nil, "tip"=>nil, "goods_customs_duty"=>"$0.00", "tax_total"=>3.0, "partial_refund"=>nil, "gift_wrapped_item_count_display"=>"(0)", "gift_wrap_fee_total"=>"$0.00", "total"=>"$52.99", "raw_total"=>52.99, "currency_code"=>"$", "collected"=>0, "collected_cash"=>0, "collected_bucks"=>0, "collected_exchange

How do you use the rex command to calculate a value?

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

Are you a member of the Splunk Community?

How do you use the rex command to calculate a value?

What’s New in Splunk Observability Cloud – June 2025

Almost Too Eventful Assurance: Part 2

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos