extract values

Abha · ‎12-09-2013

I need to extract the following as different values for revenue.
Revenue 374256 318747 271437 271957
Was thinking of using rex command, but cant really work it out. Some help please..

jpass · ‎12-09-2013

I'm not good with regular expressions yet but here's how I would do it:

let's say your field is called 'revenue' and it's exactly the string you posted. Revenue 374256 318747 271437 271957

| REX field="revenue" "Revenue (?.*)" | eval rev=split(rev," ") | table revenue,rev

the REX command creates a field called 'rev' which simply remvoves the string "Revenue" from your original value
The SPLIT function creates a multivalue field by breaking the value 'rev' on each space in the string

If you wanted to break your values into separate events you could add:

<your_search> | REX field="revenue" "Revenue (?<rev>.*)" | eval rev=split(rev," ") | mvexpand rev | table revenue,rev

I admit I am still developing my understanding of regular expressions. You will likely find a way to use the single REX command along with REX's max_match="0" attribute to create a multivalue field from the REX generated value.

somesoni2 · ‎12-09-2013

Try following

<your base search> | rex field=yourfield "Revenue (?P<Revenue>.+)" | eval Revenue=split(Revenue," ") | mvexpand Revenue

extract values

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update