Solved: Need to exract amountTendered

yograjpatel · ‎01-16-2018

EWS Response Content:{_ "responseHeader" : {_ "success" : "true",_ "serviceName" : "payment",_ "resourceName" : "payments",_ "operationName" : "create",_ "version" : "1.25.261",_ "statementCode" : "001",_ "methodOfPaymentSequence" : "1",_ "amountTendered" : "705.14",_ "balanceBegin" : "1410.79",_ "balanceEnd" : "705.65",_ "icomsTransactionDateTime" : "20180116",_ "message" : {_ "code" : "PAYMENT_AUTH_SUCCESS",_ "message" : "Payment has been authorized."_ }_ } ]_}

mayurr98 · ‎01-16-2018

hey @yograjpatel

Try this run anywhere search

| makeresults 
| eval _raw="EWS Response Content:{ \"responseHeader\" : { \"success\" : \"true\", \"serviceName\" : \"payment\", \"resourceName\" : \"payments\", \"operationName\" : \"create\", \"version\" : \"1.25.261\", \"statementCode\" : \"001\", \"methodOfPaymentSequence\" : \"1\", \"amountTendered\" : \"705.14\", \"balanceBegin\" : \"1410.79\", \"balanceEnd\" : \"705.65\", \"icomsTransactionDateTime\" : \"20180116\", \"message\" : { \"code\" : \"PAYMENT_AUTH_SUCCESS\", \"message\" : \"Payment has been authorized.\" } } ]}" 
| rex field=_raw "amountTendered\"\s:\s\"(?<amountTendered>[^\"]+)" 
| convert num(amountTendered)

In your environment, you should write

index=<your_index> 
| rex field=_raw "amountTendered\"\s:\s\"(?<amountTendered>[^\"]+)" 
| convert num(amountTendered)

Let me know if this helps !

View solution in original post

yograjpatel · ‎01-17-2018

rex field=_raw "amountTendered\"\s:\s\"(?[^\"]+)" tried this and it worked

mayurr98 · ‎01-16-2018

hey @yograjpatel

Try this run anywhere search

| makeresults 
| eval _raw="EWS Response Content:{ \"responseHeader\" : { \"success\" : \"true\", \"serviceName\" : \"payment\", \"resourceName\" : \"payments\", \"operationName\" : \"create\", \"version\" : \"1.25.261\", \"statementCode\" : \"001\", \"methodOfPaymentSequence\" : \"1\", \"amountTendered\" : \"705.14\", \"balanceBegin\" : \"1410.79\", \"balanceEnd\" : \"705.65\", \"icomsTransactionDateTime\" : \"20180116\", \"message\" : { \"code\" : \"PAYMENT_AUTH_SUCCESS\", \"message\" : \"Payment has been authorized.\" } } ]}" 
| rex field=_raw "amountTendered\"\s:\s\"(?<amountTendered>[^\"]+)" 
| convert num(amountTendered)

In your environment, you should write

index=<your_index> 
| rex field=_raw "amountTendered\"\s:\s\"(?<amountTendered>[^\"]+)" 
| convert num(amountTendered)

Let me know if this helps !

mayurr98 · ‎01-17-2018

Hey @yograjpatel
If you deem the posted answer is correct then pls accept/upvote to resolve this question.

yograjpatel · ‎01-16-2018

I'm getting the total count but not the actual amount to sum up.

horsefez · ‎01-16-2018

Hi,

yeah. We have extracted a string value. You need to convert it into a number first.

Just do the following after the "rex" command:
| convert num(amountTendered)

https://docs.splunk.com/Documentation/SplunkCloud/6.6.3/SearchReference/Convert

yograjpatel · ‎01-16-2018

tried this too rex "\"amountTendered\"\s:\s\"(?P\d+)\""

horsefez · ‎01-16-2018

did you really do the following:

| rex field=_raw "amountTendered\"\s*\:\s*(?<amountTendered>[^\"]+)"
| convert num(amountTendered)

yograjpatel · ‎01-16-2018

not working

horsefez · ‎01-16-2018

Hi,

how about a regular expression.

| rex field=_raw "amountTendered\"\s*\:\s*(?<amountTendered>[^\"]+)"

Need to exract amountTendered

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update