Solved: Need to exract amountTendered

yograjpatel · ‎01-16-2018

EWS Response Content:{_ "responseHeader" : {_ "success" : "true",_ "serviceName" : "payment",_ "resourceName" : "payments",_ "operationName" : "create",_ "version" : "1.25.261",_ "statementCode" : "001",_ "methodOfPaymentSequence" : "1",_ "amountTendered" : "705.14",_ "balanceBegin" : "1410.79",_ "balanceEnd" : "705.65",_ "icomsTransactionDateTime" : "20180116",_ "message" : {_ "code" : "PAYMENT_AUTH_SUCCESS",_ "message" : "Payment has been authorized."_ }_ } ]_}

mayurr98 · ‎01-16-2018

hey @yograjpatel

Try this run anywhere search

| makeresults 
| eval _raw="EWS Response Content:{ \"responseHeader\" : { \"success\" : \"true\", \"serviceName\" : \"payment\", \"resourceName\" : \"payments\", \"operationName\" : \"create\", \"version\" : \"1.25.261\", \"statementCode\" : \"001\", \"methodOfPaymentSequence\" : \"1\", \"amountTendered\" : \"705.14\", \"balanceBegin\" : \"1410.79\", \"balanceEnd\" : \"705.65\", \"icomsTransactionDateTime\" : \"20180116\", \"message\" : { \"code\" : \"PAYMENT_AUTH_SUCCESS\", \"message\" : \"Payment has been authorized.\" } } ]}" 
| rex field=_raw "amountTendered\"\s:\s\"(?<amountTendered>[^\"]+)" 
| convert num(amountTendered)

In your environment, you should write

index=<your_index> 
| rex field=_raw "amountTendered\"\s:\s\"(?<amountTendered>[^\"]+)" 
| convert num(amountTendered)

Let me know if this helps !

View solution in original post

yograjpatel · ‎01-17-2018

rex field=_raw "amountTendered\"\s:\s\"(?[^\"]+)" tried this and it worked

mayurr98 · ‎01-16-2018

hey @yograjpatel

Try this run anywhere search

| makeresults 
| eval _raw="EWS Response Content:{ \"responseHeader\" : { \"success\" : \"true\", \"serviceName\" : \"payment\", \"resourceName\" : \"payments\", \"operationName\" : \"create\", \"version\" : \"1.25.261\", \"statementCode\" : \"001\", \"methodOfPaymentSequence\" : \"1\", \"amountTendered\" : \"705.14\", \"balanceBegin\" : \"1410.79\", \"balanceEnd\" : \"705.65\", \"icomsTransactionDateTime\" : \"20180116\", \"message\" : { \"code\" : \"PAYMENT_AUTH_SUCCESS\", \"message\" : \"Payment has been authorized.\" } } ]}" 
| rex field=_raw "amountTendered\"\s:\s\"(?<amountTendered>[^\"]+)" 
| convert num(amountTendered)

In your environment, you should write

index=<your_index> 
| rex field=_raw "amountTendered\"\s:\s\"(?<amountTendered>[^\"]+)" 
| convert num(amountTendered)

Let me know if this helps !

mayurr98 · ‎01-17-2018

Hey @yograjpatel
If you deem the posted answer is correct then pls accept/upvote to resolve this question.

yograjpatel · ‎01-16-2018

I'm getting the total count but not the actual amount to sum up.

horsefez · ‎01-16-2018

Hi,

yeah. We have extracted a string value. You need to convert it into a number first.

Just do the following after the "rex" command:
| convert num(amountTendered)

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Convert

yograjpatel · ‎01-16-2018

tried this too rex "\"amountTendered\"\s:\s\"(?P\d+)\""

horsefez · ‎01-16-2018

did you really do the following:

| rex field=_raw "amountTendered\"\s*\:\s*(?<amountTendered>[^\"]+)"
| convert num(amountTendered)

yograjpatel · ‎01-16-2018

not working

horsefez · ‎01-16-2018

Hi,

how about a regular expression.

| rex field=_raw "amountTendered\"\s*\:\s*(?<amountTendered>[^\"]+)"

Need to exract amountTendered

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation