Solved: Extract a number from event message field

codebased · ‎06-13-2017

Hi Guys,

I have been trying to extract the number at the end of EVENT_MESSAGE field.

Text sample:
SERVER=SERVERNAME; EVENT_MESSAGE=Number of Offers ready to send: 6

I am using the following query:

rex field=EVENT_MESSAGE "Number of Offers ready to send: (?<offercount>\d+$)" | table offercount

However I am not getting any result; the offercount result is empty.

DalJeanis · ‎06-14-2017

Just for grins, try this -

| rex field=_raw "Number of Offers ready to send: (?<offercount>\d+)"

If it works, then EVENT_MESSAGE is probably somehow not an extracted field.

View solution in original post

DalJeanis · ‎06-14-2017

Just for grins, try this -

| rex field=_raw "Number of Offers ready to send: (?<offercount>\d+)"

If it works, then EVENT_MESSAGE is probably somehow not an extracted field.

yuanliu · ‎06-14-2017

Unless you have some customised field extraction for EVENT_MESSAGE, Splunk will automatically assign "Number" to EVENT_MESSAGE instead of "Number of Offers ready to send: 6" that @codebased seems to expect. The above should work. (field=_raw is assumed by default so no need to specify.)

codebased · ‎06-14-2017

Indeed it is not a field!

DalJeanis · ‎06-15-2017

@codebased - I suspected so.

@yuanliu is correct that field=_raw is default, but on these forums I like to be explicit, in case a reader doesn't understand that the rex is operating on some specific field... like the one that in this case didn't exist...

dineshraj9 · ‎06-13-2017

Try this

rex field=EVENT_MESSAGE "Number of Offers ready to send: (?<offercount>\d+)" | table offercount

codebased · ‎06-13-2017

Thank you @dineshraj9. I was actually using ? but somehow it got removed from my original question. I have copied your snippet as it is but it is not working :(. The offercount is all empty.

codebased · ‎06-14-2017

Thank you so much for your help. It is resolved. I had to use _raw.

dineshraj9 · ‎06-13-2017

Can you paste the exact value in the EVENT_MESSAGE field? when I tested with the sample provided by you it worked.

| makeresults | eval EVENT_MESSAGE="Number of Offers ready to send: 6" | rex field=EVENT_MESSAGE "\D+(?<offercount>\d+)" | table offercount

You could also try -

<your search> | rex field=EVENT_MESSAGE "\D+(?<offercount>\d+)" | table offercount

codebased · ‎06-14-2017

This is what I have tried:
APP_PATH="/Apiv0" EVENT_MESSAGE=Number of Offers ready to send | rex field=EVENT_MESSAGE "\D+(?\d+)" | table offercount

My splunk log is:

2017-06-15 03:00:12.8818; LOG_LEVEL=Info; SOURCE=JobRepository; APP_PATH=/Apiv0; VERSION=0.1.0.90; CORRELATION_IDENTIFIER=fe800697-df6a-4ce6-9438-27d106ab0005; SERVER=XXXX; EVENT_MESSAGE=Number of Offers ready to send: 6

The result is:

Events (14)
- ...
Statistics (14)
- Empty List

Extract a number from event message field

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!