Splunk : extract multiple values from each event

Question

I am new to Splunk queries and I am not able to figure out how to extract multiple values from same event. I am working with events that look like this :

...
starting count: 12345678
ending count: 12347890
total time: ...
....

I want to extract the values associated with "starting count" and "ending count" and create a chart comparing these two values. So far I am able to extract one set of value using this query

rex field=_raw "starting count: (?<StartCount>\d+)"

But how can I extract two different values and compare? Thanks in advance.

Answer 1

If you are going to make a chart, does that means you have multiple events and each event contains a starting count and ending count?

If so, extract the starting count and the ending count with a rex (just like you suggested) and then eval the difference. Somthing like:

| rex field=_raw "starting count: (?<StartCount>\d+)"
| rex field=_raw "ending count: (?<EndCount>\d+)"
| eval difference=EndCount-StartCount
| table _time StartCount EndCount difference

Here is a "run anywhere" version that makes it's own test data:

| makeresults count=2
| streamstats count
| eval _raw=if(count=1,"starting count: 12345678 ending count: 12346789 total time: ...","starting count: 12347890 ending count: 12349999 total time: ...")
| eval _time=if(count=1,_time-1,_time)

| rex field=_raw "starting count: (?<StartCount>\d+)"
| rex field=_raw "ending count: (?<EndCount>\d+)"
| eval difference=EndCount-StartCount
| table _time StartCount EndCount difference