My Regex:
| rex "\sof (?<Name>[A-Za-z0-9_]+)" | rex "\sdeposit \((?<Deposit>\d+)" | rex "\s*withdrawal \((?<Withdrawal>\d+)" | table Name Deposit Withdrawal | addtotals Withdrawal "\s*withdrawal \((?<Withdrawal>\d+)"
The problem:
If John took money out three times within a 24-hour period, using the REGEX above, I would have a 3-liner output like below...
John Deposit 0 Withdrawal 50 Total Withdrawal 50
John Deposit 0 Withdrawal 35 Total Withdrawal 35
John Deposit 0 Withdrawal 25 Total Withdrawal 25
But all I need is a one-liner like so:
John Deposit 0 Withdrawal 110 Total Withdrawal 110
I tried multiple combinations on that last line of code (addtotals) but keep coming up empty. Any assistance would be much appreciated.
You're trying to calculate the sum of deposits and withdrawals per person? Append this:
... | stats sum(Deposit) sum(Withdrawal) by Name
And remember that you can write a single "Rex" matching all the different fields you need to extract, if of course are ALL present in the same event...
Marco
You're trying to calculate the sum of deposits and withdrawals per person? Append this:
... | stats sum(Deposit) sum(Withdrawal) by Name
Oh.. duh. It works! Thank you Splunk God!
That's what the by Name
is for.
Yes, I tried "stats" as well. But instead of typing each name (ie. John, Stacey, Logan) I'm trying to parse out an entire list of names along with the number of withdrawals they made within the last 24 hours.
I'm trying to avoid doing this for each names:
John " withdrawal" | rex "\sof (?
Stacey " withdrawal" | rex "\sof (?