Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract number from a field and output to a table or new field

bablucho
Path Finder
‎09-09-2018 07:11 AM

i am trying to extract the Printed number value from the below string deriving from field3 and out put to a table or new field known as 'Printed'

Summary:

Selected: : 001558
Deceased : 000003
GoneAway : 000007
Suspended : 000023
Sent2Print : 001527
===== : ===
Printed : 001527
===== : ===

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2018 11:03 AM

If I understand your question correctly, this should get you started.

... | rex field=field3 "Printed\s*:\s*(?<Printed>\d+)" | ...
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

bablucho
Path Finder
‎09-20-2018 08:33 AM

actually its not in a field 3...
the below is an extract from an event. when I try to manually extract it does not show the full event past line 18 so I thought maybe a regex will be able to pull the data 'Printed: <001527>
Selected: : 001558
Deceased : 000003
GoneAway : 000007
Suspended : 000023
Sent2Print : 001527
===== : ===
Printed : 001527
===== : ===

0 Karma
Reply
Solved! Jump to solution

skoelpin
SplunkTrust
SplunkTrust
‎09-09-2018 11:20 AM

This should auto-extract at searchtime. If not then try adding this to your search

| rex field=field3 Printed\s\:\s(?<Printed>\d+)
| table Printed
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-09-2018 11:03 AM

If I understand your question correctly, this should get you started.

... | rex field=field3 "Printed\s*:\s*(?<Printed>\d+)" | ...
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...