topic Re: Need to shorten data and show it by count in Splunk Search

Need to shorten data and show it by count

sunnyparmar — Mon, 18 Dec 2017 07:33:09 GMT

Hi All,

I am executing query which is giving me the below result and I want to shorten the data and show in table format by total no. of count count. So what I want in table from the below result that is "code=200", "method=GET" and "SENDID=OSUUSPANKKI". Any insight would be appreciable. Thanks in advance

2017-12-18 07:26:50,357 [bwReqId=] [play-akka.actor.default-dispatcher-68163] [INFO ] [application] front-play - time=3ms code=200 method=GET remote_ip=85.76.XX.XX host=XXX.basware.com uri=/invoices/attachment/8fc60422e0de11e792e8f398?VERSION=0001&PMTREFNB=f171abc1-eef1-4cb3-a537-54ae4d638a65&TIMESTMP=2017-12-18-092641%2B02&KEYVERS=0001&ALG=0001&LANGCODE=1&SESSIONID=dGpohCr1yQJe-iKenar-&STATUS=Prod&SENDID=OSUUSPANKKI&PMTORIG=1&USERMAC=4901FF5EC300D405133A757F7FA0245B&MAC=B82F0BEECA1B8680CFD9889A94248EC9

Re: Need to shorten data and show it by count

andrey2007 — Mon, 18 Dec 2017 07:57:32 GMT

Hi, try this
[your search]

| rex field=_raw "^(?:[^=\n]*=){3}(?P<code>\d+)\s+\w+=(?P<method>[^ ]+)(?:[^&\n]*&){8}\w+=(?P<SENDID>\w+)"

and if you need count
| stats count by method SENDID code

Re: Need to shorten data and show it by count

sunnyparmar — Mon, 18 Dec 2017 11:40:19 GMT

Could you please let me know how you made this possible by rex as I have tried also but didn't get succeed. Thank you so much

Re: Need to shorten data and show it by count

andrey2007 — Mon, 18 Dec 2017 12:15:47 GMT

You can do it using drop-down menu clicking Event Actions=>Extract fields with Regex generator to generate regexp.