Hi Guys,
I have been trying to extract the number at the end of EVENT_MESSAGE field.
Text sample:
SERVER=SERVERNAME; EVENT_MESSAGE=Number of Offers ready to send: 6
I am using the following query:
rex field=EVENT_MESSAGE "Number of Offers ready to send: (?<offercount>\d+$)" | table offercount
However I am not getting any result; the offercount result is empty.
Just for grins, try this -
| rex field=_raw "Number of Offers ready to send: (?<offercount>\d+)"
If it works, then EVENT_MESSAGE
is probably somehow not an extracted field.
Just for grins, try this -
| rex field=_raw "Number of Offers ready to send: (?<offercount>\d+)"
If it works, then EVENT_MESSAGE
is probably somehow not an extracted field.
Unless you have some customised field extraction for EVENT_MESSAGE, Splunk will automatically assign "Number" to EVENT_MESSAGE instead of "Number of Offers ready to send: 6" that @codebased seems to expect. The above should work. (field=_raw is assumed by default so no need to specify.)
Indeed it is not a field!
@codebased - I suspected so.
@yuanliu is correct that field=_raw
is default, but on these forums I like to be explicit, in case a reader doesn't understand that the rex
is operating on some specific field... like the one that in this case didn't exist...
Try this
rex field=EVENT_MESSAGE "Number of Offers ready to send: (?<offercount>\d+)" | table offercount
Thank you @dineshraj9. I was actually using ? but somehow it got removed from my original question. I have copied your snippet as it is but it is not working :(. The offercount is all empty.
Thank you so much for your help. It is resolved. I had to use _raw.
Can you paste the exact value in the EVENT_MESSAGE field? when I tested with the sample provided by you it worked.
| makeresults | eval EVENT_MESSAGE="Number of Offers ready to send: 6" | rex field=EVENT_MESSAGE "\D+(?<offercount>\d+)" | table offercount
You could also try -
<your search> | rex field=EVENT_MESSAGE "\D+(?<offercount>\d+)" | table offercount
This is what I have tried:
APP_PATH="/Apiv0" EVENT_MESSAGE=Number of Offers ready to send | rex field=EVENT_MESSAGE "\D+(?\d+)" | table offercount
My splunk log is:
2017-06-15 03:00:12.8818; LOG_LEVEL=Info; SOURCE=JobRepository; APP_PATH=/Apiv0; VERSION=0.1.0.90; CORRELATION_IDENTIFIER=fe800697-df6a-4ce6-9438-27d106ab0005; SERVER=XXXX; EVENT_MESSAGE=Number of Offers ready to send: 6
The result is:
Events (14)
- ...
Statistics (14)
- Empty List