Regex in splunk - starting with number and has comma in between

Question

I am trying write a regex to extract the number so that I can calculate the sum. Below is the event:

abre0001.pxm:  55 records processed as of 2022-07-28 00:55:51.829407 

abre0001.pxm:  23,555 records processed as of 2022-07-28 00:55:51.829407 

abcd0001.pxm:  23,45,555 records processed as of 2022-07-28 00:55:52.543170

I want to extract the fields 55, 23,555, and 23,45,555 from each event and calculate the sum. However, I am unable to extract the number with a comma in it. I am able to get just the entries with only digits. Below is the regex used.

index="" source="" sourcetype="r"  "ab*0001.pxm" 
| rex field=_raw "pxm:\s+(?<value>/d+)/s" 
| convert rmcomma(value) 
| stats sum(value) as total_entries

The value field is unable to extract the number having a comma. It only extracts 55 rest of the entries are blank. Not sure what explicitly we need to give here.

If you can get the number out with the comma's you can use the replace command | eval n=replace(n,",","") where n is the field you extracted with the digits and commas — Daniel Price, Jul 29 '22 at 10:47
Rex for capture: "pxm:\s+(?[\d,]+)\s" d, and s are escaped and added "," to group that can be in the named capture group "values" — Daniel Price, Jul 29 '22 at 10:51
Oh nice I've just look up the convert command, Didn't know about it, learnt something new :D — Daniel Price, Jul 29 '22 at 10:53

score 4 · Accepted Answer · edited Jul 29 '22 at 14:23

4

| rex field=_raw "pxm:\s+(?<value>[\d,]+)\s"
| eval value=replace(value,",","")

d, and s are escaped and added "," to group that can be in the named capture group "value"

You then need to remove any commas, since they're not numerical

edited Jul 29 '22 at 14:23

warren

32,620
21
85
124

answered Jul 29 '22 at 10:54

Daniel Price

443
2
12

Regex in splunk - starting with number and has comma in between

1 Answers1