extract values

Abha · ‎12-09-2013

I need to extract the following as different values for revenue.
Revenue 374256 318747 271437 271957
Was thinking of using rex command, but cant really work it out. Some help please..

jpass · ‎12-09-2013

I'm not good with regular expressions yet but here's how I would do it:

let's say your field is called 'revenue' and it's exactly the string you posted. Revenue 374256 318747 271437 271957

| REX field="revenue" "Revenue (?.*)" | eval rev=split(rev," ") | table revenue,rev

the REX command creates a field called 'rev' which simply remvoves the string "Revenue" from your original value
The SPLIT function creates a multivalue field by breaking the value 'rev' on each space in the string

If you wanted to break your values into separate events you could add:

<your_search> | REX field="revenue" "Revenue (?<rev>.*)" | eval rev=split(rev," ") | mvexpand rev | table revenue,rev

I admit I am still developing my understanding of regular expressions. You will likely find a way to use the single REX command along with REX's max_match="0" attribute to create a multivalue field from the REX generated value.

somesoni2 · ‎12-09-2013

Try following

<your base search> | rex field=yourfield "Revenue (?P<Revenue>.+)" | eval Revenue=split(Revenue," ") | mvexpand Revenue

extract values

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!