@Naga1 

The split command is not for a static set of numbers, it will split whatever 'dynamic' numbers you have, whether that is

00000000000000872510,00000000000000872511,00000000000000872512,00000000000000872513,00000000000000872514

or

00000000000000999995,00000000000000999996,00000000000000999997,00000000000000999998,00000000000000999999

so perhaps you can give a clearer example of what your data might look like so we can understand what you mean by dynamic.

Are you trying to say that you have a single field called MessageText that may have

ABC,12345,XYZ,98765,Hello,444444,Goodbye,777777

and you want to extract all numeric sequences from it?

If so, give some examples of what the data will look like, so we can work out a suitable matching/extraction pattern

The pattern may be:

Sequence Numbers:00000000000000872510,00000000000000872511,00000000000000872512,00000000000000872513,00000000000000872514

I need to extract only numbers without comma and display them in table like:

00000000000000872510

00000000000000872511

00000000000000872512

00000000000000872513

00000000000000872514

Hello @bowesmana

Example
All number's are Numeric only 

message text fields from  1st event:
Sequence numbers

00000000000000872510,00000000000000872511,00000000000000872512,00000000000000872513,00000000000000872514

message text fields from  2nd event:
Sequence numbers

00000000000000872515,00000000000000872516,00000000000000872518,00000000000000872519,00000000000000872520

From the logs 00000000000000872517 was missing so need to check missing of sequence

that is  condition actually..

just need to check number is to be correct format ( one by one) or if its not correct need to throw alerts

please suggest using regex expression for this issue,

Below query i can able take first value from mentioned logs(events)

| rex field= cip:  Audit Message . Message Text"\D+(?<Sequence Number>\d+)" 
| table Sequence Number

Output :
00000000000000872510
00000000000000872515

but i need whole sequence number in statistic table  one by one,
Hope u understood 
Thanks in advance

I suspect also that you did not post your message text field, as that rex statement would not produce the results you gave due to \D+

Can you post your message text field completely

I'm confused ... why have you not just done

| eval "Sequence Number"=split('Message Text', ",")
| table Sequence Number

as advised earlier? Substitute the actual field name for Message Text above

Hi @Kingsly007,

please, next time, open a new question, even if on the same topic: you'll have a faster and probably better answer to your question!

in addition, at the end of the analysis, you can accept the answer and give more information for the other people of Community.

Anyway, could you better describe what you mean with "Dynamic"?

if you have comma divided values, the number of them isn't relevant.

Could you share a sample of your logs?

Ciao.

Giuseppe

Hello @gcusello ,
Regarding as per Subject,

Sequence number will be differ on every transaction log's ,
so how can we write log's for 
Values are all Dynamic ( not a same numbers on every transaction's) 
Every transaction logs( sequence number is different )

1 to n(last number) if missed any number's between  1 to N,
can you help on this, really thanks in advance

Hi @Kingsly007,

Anyway, it's still not clear what you mean with "Dynamic"?

if you have comma divided values, the number of them isn't relevant.

Could you share a sample of your logs?

Ciao.

Giuseppe

SAMPLE LOGS:

<Create Timestamp>2023-08-31T04:45:02.212Z</Create Timestamp>

<Message Text>Sequence Numbers processed during this transaction : 00000000000000875119,00000000000000875120,00000000000000875121,00000000000000875122,00000000000000875123,00000000000000875124</Message Text>

<Create Timestamp>2023-08-31T03:45:02.083Z</Create Timestamp>

<Message Text>Sequence Numbers processed during this transaction : 00000000000000875115,00000000000000875116,00000000000000875117,00000000000000875118</Message Text>

<Create Timestamp>2023-08-31T02:45:01.909Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875114</Message Text>

<Create Timestamp>2023-08-31T01:45:02.703Z</Create Timestamp> <Message Text>Sequence Numbers processed during this transaction : 00000000000000875112,00000000000000875113</Message Text>

Your logs look like compliant XML.  I am guessing that you already have the field "Message Text".  If so, you can apply @bowesmana's technique

| eval SequenceNumber = mvindex(split('Message Text', " : "), 1)
| eval SequenceNumber = split(SequenceNumber, ",")
| mvexpand SequenceNumber

(Replace 'Message Text' with MessageText if that's the field name.)  Your sample logs should give you something like

Here is an emulation that you can play with and compare with real data

| makeresults
| eval data = split("<Create Timestamp>2023-08-31T04:45:02.212Z</Create Timestamp>
<Message Text>Sequence Numbers processed during this transaction : 00000000000000875119,00000000000000875120,00000000000000875121,00000000000000875122,00000000000000875123,00000000000000875124</Message Text>

<Create Timestamp>2023-08-31T03:45:02.083Z</Create Timestamp>
<Message Text>Sequence Numbers processed during this transaction : 00000000000000875115,00000000000000875116,00000000000000875117,00000000000000875118</Message Text>

<Create Timestamp>2023-08-31T02:45:01.909Z</Create Timestamp>
<Message Text>Sequence Numbers processed during this transaction : 00000000000000875114</Message Text>

<Create Timestamp>2023-08-31T01:45:02.703Z</Create Timestamp>
<Message Text>Sequence Numbers processed during this transaction : 00000000000000875112,00000000000000875113</Message Text>", "

")
| mvexpand data
| rename data as _raw
| spath
| rename "Create./Create.Message" AS "Message Text"
| eval _time = strptime(Create, "%FT%H:%M:%S.%3Q%Z")
| rename Create AS "Create Timestamp"
``` data emulation above ```

Thanks

One more question , How Can I put logic to find missing number in this sequence of dynamically changing numbers:
It has no logic except it increase one by one.Is there any way to build logic for this increase by one number and Need to trigger an alert if it not increase by one- which indicates number missed.

00000000000000875115,00000000000000875116,00000000000000875118

In this case 00000000000000875117 is missing

00000000000000875117

00000000000000875117 

Assuming you have already extracted Message Text into a field called MessageText, try this

| rex field=MessageText max_match=0 "(?<SequenceNumber>\d+)"
| mvexpand SequenceNumber
| table SequenceNumber

Hello @ITWhisperer & @bowesmana  & @yuanliu ,

Thanks

One more question , How Can I put logic to find missing number in this sequence of dynamically changing numbers:
It has no logic except it increase one by one. Is there any way to build logic for this increase by one number and Need to trigger an alert if it not increase by one- which indicates number missed.

00000000000000875115,00000000000000875116,00000000000000875118

In this case 00000000000000875117 is missing

00000000000000875117

00000000000000875117 

Try something like this

| rex field=MessageText max_match=0 "(?<SequenceNumber>\d+)"
| table SequenceNumber
| eval fullSequence = mvrange(tonumber(mvindex(SequenceNumber,0)),tonumber(mvindex(SequenceNumber,-1))+1)
| eval missing=mvmap(fullSequence,if(isnull(mvfind(SequenceNumber,fullSequence)),fullSequence,NULL()))