Extract and/or add numbers from a string

apoorvaaccount · ‎02-28-2024

I have string field:

provTimes: a=10; b=15; c=10;

it basically has semicolon separated sub-fields in the value. Each sub-field has a number on right hand side.

These fields are dynamic, can be a,v,e,f in 1 event and z,y in another event. Ignoring the sub field names, I'm only concerned with the numbers they have. I just want to add them all.

Example

provTimes: a=10; b=15; c=10;

result = 35

provTimes: x=10; b=5;

result = 15

yuanliu · ‎02-28-2024

Or, in the old fashioned extract (aka kv) and foreach😉,

| rename _raw AS temp, provTimes AS _raw
| rex mode=sed "s/\S+=/provTimes_&/g"
| kv
| foreach provTimes_*
    [eval sum = mvappend(sum, '<<FIELD>>')]
| eval sum = sum(sum)
``` below are cleanups, only if you want to restore world order ```
| fields - provTimes_*
| rex mode=sed "s/provTimes_//g"
| rename _raw AS provTimes, temp AS _raw

Here is an emulation you can play with and compare with real data

| makeresults format=csv data="provTimes
a=10; b=15; c=10;
x=10; b=5;"
``` data emulation above ```

Output from this emulation is

provTimes	sum
a=10; b=15; c=10;	35
x=10; b=5;	15

richgalloway · ‎02-28-2024

If you can install the mvstats app (https://splunkbase.splunk.com/app/5198) then this will do it.

| rex max_match=0 "provTimes: \w+=(?<provTimes>\d+);"
| mvstats sum provTimes as result

---
If this reply helps you, Karma would be appreciated.

Extract and/or add numbers from a string

eval

field extraction

regex

stats

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?