lr-pal
Reputation: 389
Splunk - Extracted number from search result not showing up in the table
My splunk result looks like this:
9/1/20
5:00:14.487 PM
2020-09-01 16:00:14.487, 'TOTALITEMS'="Number of items registered in the last 2 hours ", COUNT(*)="1339"
I am trying to table the number that appears in the end in quotes.
index=my_db sourcetype=no_of_items_registered source=P_No_of_items_registered_2hours | rex field=_raw "\"Number of items registered in the last 2 hours \", COUNT(\*)=\"(?P<itm_ct>\d+)\"$" | table itm_ct
This displays a blank table without any numbers. The number of rows in the table however matches the the number of events.
Any help much appreciated
Upvotes: 0
Views: 388
Answers (1)
RichG
Reputation: 9926
The regular expression doesn't match the sample data. Literal parentheses must be escaped in the regex. Try this:
index=my_db sourcetype=no_of_items_registered source=P_No_of_items_registered_2hours
| rex "COUNT\(\*\)="(?<itm_ct>\d+)" | table itm_c
Upvotes: 1
Related Questions
- Extract data from splunk
- Splunk create value on table with base search and eval from lookup
- How to extract a field from a Splunk search result and do stats on the value of that field
- Splunk produces a table with only one row
- Splunk Cloud search query with variable does not return results
- Splunk query do not return value for both columns together
- Splunk inputlookup and result extraction
- stats latest not showing any value for field
- Assign a value to the variable in Splunk and use that value in the search
- Splunk extracted field in dashboard