topic Re: How to rex multiple fields and represent in a chart? in Splunk Enterprise

How to rex multiple fields and represent in a chart?

pranay04 — Thu, 31 Jan 2019 21:10:50 GMT

I am trying to chart my output from logs to rex for different errors like
i. "com.ibm.mq.MQException" as MQError
ii. "ORA Error" as DB error
iii. "OutOfMemory Error" as OOM

The above errors are part of the log event and are not classified by any fields.

Re: How to rex multiple fields and represent in a chart?

woodcock — Thu, 31 Jan 2019 23:32:13 GMT

Please start over and add many more words of description. I have no idea what you need. Always provide final output mockups so that even if your descriptions are lacking, we can get the gist.

Re: How to rex multiple fields and represent in a chart?

MuS — Fri, 01 Feb 2019 05:58:44 GMT

Hi pranay04,

That's pretty easy and straight forward in Splunk 🙂
Based on your provided examples take this run everywhere command:

| makeresults 
| eval flubber="com.ibm.mq.MQException,ORA Error,OutOfMemory Error" 
| makemv delim="," flubber 
| mvexpand flubber 
| rename comment AS "Everything above this was used to create dummy data!" 
| eval status=case(match(flubber, "com.ibm.mq.MQException"), "MQError", match(flubber, "ORA Error"), "DB error",match(flubber, "OutOfMemory Error"), "OOM", 1=1, " ¯\_(ツ)_/¯ ") 
| chart count by status

The result will look like this:

Hope this helps ...

cheers, MuS

Re: How to rex multiple fields and represent in a chart?

woodcock — Wed, 13 Feb 2019 02:49:52 GMT

Maybe this:

index=AlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| eval error=case(
   searchmatch("com.ibm.mq.MQException"), "MQError",
   searchmatch("ORA Error"),              "DB error",
   searchmatch("OutOfMemory Error"),      "OOM",
   true(),                                "Unknown")
| stats count BY error