Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Regex Money

rpascua
Explorer
‎03-25-2014 12:46 PM

My Regex:

| rex "\sof (?<Name>[A-Za-z0-9_]+)" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addtotals Withdrawal "\s*withdrawal \((?<Withdrawal>\d+)"

The problem:

If John took money out three times within a 24-hour period, using the REGEX above, I would have a 3-liner output like below...

John Deposit 0 Withdrawal 50 Total Withdrawal 50

John Deposit 0 Withdrawal 35 Total Withdrawal 35

John Deposit 0 Withdrawal 25 Total Withdrawal 25

But all I need is a one-liner like so:

John Deposit 0 Withdrawal 110 Total Withdrawal 110

I tried multiple combinations on that last line of code (addtotals) but keep coming up empty. Any assistance would be much appreciated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-25-2014 01:06 PM

You're trying to calculate the sum of deposits and withdrawals per person? Append this:

... | stats sum(Deposit) sum(Withdrawal) by Name

View solution in original post

Reply
Solved! Jump to solution

marcoscala
Builder
‎04-01-2014 04:41 PM

And remember that you can write a single "Rex" matching all the different fields you need to extract, if of course are ALL present in the same event...

Marco

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-25-2014 01:06 PM

You're trying to calculate the sum of deposits and withdrawals per person? Append this:

... | stats sum(Deposit) sum(Withdrawal) by Name
Reply
Solved! Jump to solution

rpascua
Explorer
‎03-25-2014 01:40 PM

Oh.. duh. It works! Thank you Splunk God!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-25-2014 01:30 PM

That's what the by Name is for.

Reply
Solved! Jump to solution

rpascua
Explorer
‎03-25-2014 01:28 PM

Yes, I tried "stats" as well. But instead of typing each name (ie. John, Stacey, Logan) I'm trying to parse out an entire list of names along with the number of withdrawals they made within the last 24 hours.

I'm trying to avoid doing this for each names:

John " withdrawal" | rex "\sof (?[A-Za-z0-9_]+)" | rex "\sdeposit ((?\d+)" | rex "\s*withdrawal ((?\d+)" | table Name Deposit Withdrawal | stats sum(Withdrawal)

Stacey " withdrawal" | rex "\sof (?[A-Za-z0-9_]+)" | rex ........ and so on

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...