Splunk Search

How to extract an integer value after colon and display results using timechart?

hishamjan
Explorer

NOTICE: <script>: [3473090307|3167225225](SENDER[10.65.197.2:5073]): Current Active Inbound Calls: NOTICE: <script>: [3218481898|03116204181](SENDER[192.168.15.11:7060]): Current Active Inbound Calls: 8

I want to extract the integer value after the colon (:) i.e. 0 and 8 and then display these results as timechart.

I'm writing it as:

host=Kamailio NON=Active
| eval totalCount=mvcount(NON)
| timechart span=300s count by totalCount

 

p.s: NON is a field with multiple other values and Active is one of them which contains those integers which I want to display.

 

Any degree of help would be appreciated.

Labels (5)
0 Karma

hishamjan
Explorer

I did that manually, using the  + Extract New Fields (ss attached):

Screenshot 2021-02-15 at 5.54.31 PM.png

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you have already extracted CAIB, what values do you have in the field?

0 Karma

hishamjan
Explorer

Screenshot 2021-02-15 at 6.19.42 PM.pngthese are the fields in it.

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

As you can see, the value you have in CAIB is "Current Active Inbound Calls:" which is why the rex does not find any numbers when you specify field CAIB, and why the rex without specifying the field (which will work on _raw) does find the values you are after.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

It Is not overly clear what you events look like or which part of the event you are trying to extract. However, assuming it is a number after "Calls: " then this might help

| rex "Calls: {?<calls>\d+)"
0 Karma

hishamjan
Explorer

Hi, thanks for the reply. 

To answer your question, it is indeed a number after the " Calls: "

 

I tried this solution but it does seem to search from the entire event and not from what I've typed in the search string:

CAIB="Current Active Inbound Calls:" | rex field=CAIB ".*=(?<number>\d+)\D" | timechart span=30s count by max(number)

where CAIB is a field that I extracted myself and number is a variable I used to store the values

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

How have you extracted CAIB?

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Using the Splunk Threat Research Team’s Latest Security Content

REGISTER HERE Tech Talk | Security Edition Did you know the Splunk Threat Research Team regularly releases ...

SplunkTrust | 2024 SplunkTrust Application Period is Open!

It's that time again, folks! That's right, the application/nomination period for the 2024 SplunkTrust is ...