Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Regex Money

rpascua
Explorer
‎03-25-2014 12:46 PM

My Regex:

| rex "\sof (?<Name>[A-Za-z0-9_]+)" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addtotals Withdrawal "\s*withdrawal \((?<Withdrawal>\d+)"

The problem:

If John took money out three times within a 24-hour period, using the REGEX above, I would have a 3-liner output like below...

John Deposit 0 Withdrawal 50 Total Withdrawal 50

John Deposit 0 Withdrawal 35 Total Withdrawal 35

John Deposit 0 Withdrawal 25 Total Withdrawal 25

But all I need is a one-liner like so:

John Deposit 0 Withdrawal 110 Total Withdrawal 110

I tried multiple combinations on that last line of code (addtotals) but keep coming up empty. Any assistance would be much appreciated.

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-25-2014 01:06 PM

You're trying to calculate the sum of deposits and withdrawals per person? Append this:

... | stats sum(Deposit) sum(Withdrawal) by Name

View solution in original post

Reply
Solved! Jump to solution

marcoscala
Builder
‎04-01-2014 04:41 PM

And remember that you can write a single "Rex" matching all the different fields you need to extract, if of course are ALL present in the same event...

Marco

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-25-2014 01:06 PM

You're trying to calculate the sum of deposits and withdrawals per person? Append this:

... | stats sum(Deposit) sum(Withdrawal) by Name
Reply
Solved! Jump to solution

rpascua
Explorer
‎03-25-2014 01:40 PM

Oh.. duh. It works! Thank you Splunk God!

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎03-25-2014 01:30 PM

That's what the by Name is for.

Reply
Solved! Jump to solution

rpascua
Explorer
‎03-25-2014 01:28 PM

Yes, I tried "stats" as well. But instead of typing each name (ie. John, Stacey, Logan) I'm trying to parse out an entire list of names along with the number of withdrawals they made within the last 24 hours.

I'm trying to avoid doing this for each names:

John " withdrawal" | rex "\sof (?[A-Za-z0-9_]+)" | rex "\sdeposit ((?\d+)" | rex "\s*withdrawal ((?\d+)" | table Name Deposit Withdrawal | stats sum(Withdrawal)

Stacey " withdrawal" | rex "\sof (?[A-Za-z0-9_]+)" | rex ........ and so on

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...