Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract an integer value after colon and display results using timechart?

hishamjan
Explorer
‎02-15-2021 12:53 AM

NOTICE: <script>: [3473090307|3167225225](SENDER[10.65.197.2:5073]): Current Active Inbound Calls: NOTICE: <script>: [3218481898|03116204181](SENDER[192.168.15.11:7060]): Current Active Inbound Calls: 8

I want to extract the integer value after the colon (:) i.e. 0 and 8 and then display these results as timechart.

I'm writing it as:

host=Kamailio NON=Active
| eval totalCount=mvcount(NON)
| timechart span=300s count by totalCount

 

p.s: NON is a field with multiple other values and Active is one of them which contains those integers which I want to display.

 

Any degree of help would be appreciated.

Labels (5)
0 Karma
Reply

hishamjan
Explorer
‎02-15-2021 04:55 AM

I did that manually, using the  + Extract New Fields (ss attached):

Screenshot 2021-02-15 at 5.54.31 PM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 05:11 AM

If you have already extracted CAIB, what values do you have in the field?

0 Karma
Reply

hishamjan
Explorer
‎02-15-2021 05:22 AM

Screenshot 2021-02-15 at 6.19.42 PM.pngthese are the fields in it.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 06:02 AM

As you can see, the value you have in CAIB is "Current Active Inbound Calls:" which is why the rex does not find any numbers when you specify field CAIB, and why the rex without specifying the field (which will work on _raw) does find the values you are after.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 02:09 AM

It Is not overly clear what you events look like or which part of the event you are trying to extract. However, assuming it is a number after "Calls: " then this might help

| rex "Calls: {?<calls>\d+)"
0 Karma
Reply

hishamjan
Explorer
‎02-15-2021 04:28 AM

Hi, thanks for the reply. 

To answer your question, it is indeed a number after the " Calls: "

 

I tried this solution but it does seem to search from the entire event and not from what I've typed in the search string:

CAIB="Current Active Inbound Calls:" | rex field=CAIB ".*=(?<number>\d+)\D" | timechart span=30s count by max(number)

where CAIB is a field that I extracted myself and number is a variable I used to store the values

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 04:34 AM

How have you extracted CAIB?

0 Karma
Reply
Get Updates on the Splunk Community!

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

TECH TALKS3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?Join this Tech Talk to learn ...

Leverage Cisco Talos Threat Intelligence Across Splunk Security Products

Leverage Cisco Talos Threat Intelligence Across Splunk Security Products   Security Edition   Have you ...

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience

What’s New in Splunk Enterprise 9.4: Tools for Digital Resilience Tune in to What’s New in Splunk Enterprise ...