Splunk Search

Why is my rex search not extracting the field from my event?

hqw
Path Finder

Dear all,

I want to extract a field from the event, and name it retail, and then use this new field to make a calculation. Could you pls help me to achieve this?

This portion from my event below mount_name="MerryMart-An-Wai, I want to extract MerryMart, the first word of mount_name.

This is my current search:

interaction_count | rex field = mount_name"(?<retail>-.*)" | stats sum(interaction_count) by retail

but I got nothing returned. Could you kindly tell me what is wrong?

Event:

Jun 25 2015 05:00:00 geoloc_city="**" geoloc_country="**" menu_interaction_count="0" menu_interaction_duration="0" menu_select_experience="0" mount_name="MerryMart-An-Wai " shop_id="d3ba599ad84f4eb69b5321b90e958b30" shop_name="MerryMart-An-Wai" 
0 Karma
1 Solution

chimell
Motivator

Hi hqw
Try this search code

 interaction_count | rex field=_raw "mount_name\=\"(?P<retail>[\w]+)\-"| stats sum(interaction_count) by retail

Look at the result of " MerryMart" extraction (first word of mount_name )
alt text

View solution in original post

chimell
Motivator

Hi hqw
Try this search code

 interaction_count | rex field=_raw "mount_name\=\"(?P<retail>[\w]+)\-"| stats sum(interaction_count) by retail

Look at the result of " MerryMart" extraction (first word of mount_name )
alt text

chimell
Motivator

Thanks but you forgot to vote

0 Karma

vganjare
Builder

You can try IFX which is easy to use. Following tutorial can help you.

http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/ExtractfieldsinteractivelywithIFX

Thanks!!

0 Karma

ngatchasandra
Builder

Hi,
Try with:

 interaction_count|rex field=_raw "mount_name\=\"(?<retail>[A-Z a-z]+)\-" | stats sum(interaction_count) by retail
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...