Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract an integer value after colon and display results using timechart?

hishamjan
Explorer
‎02-15-2021 12:53 AM

NOTICE: <script>: [3473090307|3167225225](SENDER[10.65.197.2:5073]): Current Active Inbound Calls: NOTICE: <script>: [3218481898|03116204181](SENDER[192.168.15.11:7060]): Current Active Inbound Calls: 8

I want to extract the integer value after the colon (:) i.e. 0 and 8 and then display these results as timechart.

I'm writing it as:

host=Kamailio NON=Active
| eval totalCount=mvcount(NON)
| timechart span=300s count by totalCount

 

p.s: NON is a field with multiple other values and Active is one of them which contains those integers which I want to display.

 

Any degree of help would be appreciated.

Labels (5)
0 Karma
Reply

hishamjan
Explorer
‎02-15-2021 04:55 AM

I did that manually, using the  + Extract New Fields (ss attached):

Screenshot 2021-02-15 at 5.54.31 PM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 05:11 AM

If you have already extracted CAIB, what values do you have in the field?

0 Karma
Reply

hishamjan
Explorer
‎02-15-2021 05:22 AM

Screenshot 2021-02-15 at 6.19.42 PM.pngthese are the fields in it.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 06:02 AM

As you can see, the value you have in CAIB is "Current Active Inbound Calls:" which is why the rex does not find any numbers when you specify field CAIB, and why the rex without specifying the field (which will work on _raw) does find the values you are after.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 02:09 AM

It Is not overly clear what you events look like or which part of the event you are trying to extract. However, assuming it is a number after "Calls: " then this might help

| rex "Calls: {?<calls>\d+)"
0 Karma
Reply

hishamjan
Explorer
‎02-15-2021 04:28 AM

Hi, thanks for the reply. 

To answer your question, it is indeed a number after the " Calls: "

 

I tried this solution but it does seem to search from the entire event and not from what I've typed in the search string:

CAIB="Current Active Inbound Calls:" | rex field=CAIB ".*=(?<number>\d+)\D" | timechart span=30s count by max(number)

where CAIB is a field that I extracted myself and number is a variable I used to store the values

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 04:34 AM

How have you extracted CAIB?

0 Karma
Reply
Get Updates on the Splunk Community!

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...

Index This | What goes away as soon as you talk about it?

May 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this month’s ...

What's New in Splunk Observability Cloud and Splunk AppDynamics - May 2025

This month, we’re delivering several new innovations in Splunk Observability Cloud and Splunk AppDynamics ...
Top