I am new to Splunk queries and I am not able to figure out how to extract multiple values from same event. I am working with events that look like this :
...
starting count: 12345678
ending count: 12347890
total time: ...
....
I want to extract the values associated with "starting count" and "ending count" and create a chart comparing these two values. So far I am able to extract one set of value using this query
rex field=_raw "starting count: (?<StartCount>\d+)"
But how can I extract two different values and compare? Thanks in advance.
If you are going to make a chart, does that means you have multiple events and each event contains a starting count and ending count?
If so, extract the starting count and the ending count with a rex (just like you suggested) and then eval the difference. Somthing like:
| rex field=_raw "starting count: (?<StartCount>\d+)"
| rex field=_raw "ending count: (?<EndCount>\d+)"
| eval difference=EndCount-StartCount
| table _time StartCount EndCount difference
Here is a "run anywhere" version that makes it's own test data:
| makeresults count=2
| streamstats count
| eval _raw=if(count=1,"starting count: 12345678 ending count: 12346789 total time: ...","starting count: 12347890 ending count: 12349999 total time: ...")
| eval _time=if(count=1,_time-1,_time)
| rex field=_raw "starting count: (?<StartCount>\d+)"
| rex field=_raw "ending count: (?<EndCount>\d+)"
| eval difference=EndCount-StartCount
| table _time StartCount EndCount difference