I need to extract the following as different values for revenue.
Revenue 374256 318747 271437 271957
Was thinking of using rex command, but cant really work it out. Some help please..
I'm not good with regular expressions yet but here's how I would do it:
let's say your field is called 'revenue' and it's exactly the string you posted. Revenue 374256 318747 271437 271957
If you wanted to break your values into separate events you could add:
<your_search> | REX field="revenue" "Revenue (?<rev>.*)" | eval rev=split(rev," ") | mvexpand rev | table revenue,rev
I admit I am still developing my understanding of regular expressions. You will likely find a way to use the single REX command along with REX's max_match="0" attribute to create a multivalue field from the REX generated value.
Try following
<your base search> | rex field=yourfield "Revenue (?P<Revenue>.+)" | eval Revenue=split(Revenue," ") | mvexpand Revenue