Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to extract an integer value after colon and display results using timechart?

hishamjan
Explorer
‎02-15-2021 12:53 AM

NOTICE: <script>: [3473090307|3167225225](SENDER[10.65.197.2:5073]): Current Active Inbound Calls: NOTICE: <script>: [3218481898|03116204181](SENDER[192.168.15.11:7060]): Current Active Inbound Calls: 8

I want to extract the integer value after the colon (:) i.e. 0 and 8 and then display these results as timechart.

I'm writing it as:

host=Kamailio NON=Active
| eval totalCount=mvcount(NON)
| timechart span=300s count by totalCount

 

p.s: NON is a field with multiple other values and Active is one of them which contains those integers which I want to display.

 

Any degree of help would be appreciated.

Labels (5)
0 Karma
Reply

hishamjan
Explorer
‎02-15-2021 04:55 AM

I did that manually, using the  + Extract New Fields (ss attached):

Screenshot 2021-02-15 at 5.54.31 PM.png

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 05:11 AM

If you have already extracted CAIB, what values do you have in the field?

0 Karma
Reply

hishamjan
Explorer
‎02-15-2021 05:22 AM

Screenshot 2021-02-15 at 6.19.42 PM.pngthese are the fields in it.

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 06:02 AM

As you can see, the value you have in CAIB is "Current Active Inbound Calls:" which is why the rex does not find any numbers when you specify field CAIB, and why the rex without specifying the field (which will work on _raw) does find the values you are after.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 02:09 AM

It Is not overly clear what you events look like or which part of the event you are trying to extract. However, assuming it is a number after "Calls: " then this might help

| rex "Calls: {?<calls>\d+)"
0 Karma
Reply

hishamjan
Explorer
‎02-15-2021 04:28 AM

Hi, thanks for the reply. 

To answer your question, it is indeed a number after the " Calls: "

 

I tried this solution but it does seem to search from the entire event and not from what I've typed in the search string:

CAIB="Current Active Inbound Calls:" | rex field=CAIB ".*=(?<number>\d+)\D" | timechart span=30s count by max(number)

where CAIB is a field that I extracted myself and number is a variable I used to store the values

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-15-2021 04:34 AM

How have you extracted CAIB?

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...