topic Re: How to use rex command to extract two fields and chart the count for both in one search query? in Splunk Search

How to use rex command to extract two fields and chart the count for both in one search query?

anuarora — Wed, 21 Jun 2017 07:51:24 GMT

I have a log statement like 2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{"message":{"TransactionStatus":true,"TransactioName":"removeLockedUser-1498029828160"}} .
How can i extract TransactionName and TranscationStatus and print in table form TransactionName and its count

Re: How to use rex command to extract two fields and chart the count for both in one search query?

anuarora — Tue, 29 Sep 2020 14:37:23 GMT

I tried below query but didn't get any success. It is always giving me 0.

sourcetype=10.240.204.69 "TransactionStatus" | rex field=_raw ".TransactionStatus (?.)" |stats count((status=true)) as success_count

Re: How to use rex command to extract two fields and chart the count for both in one search query?

gcusello — Wed, 21 Jun 2017 10:48:22 GMT

hi anuarora
you could use this regex to extract your two fields:

\{\"TransactionStatus\"\:(?<TransactionStatus>[^,]*),\"TransactioName\"\:\"(?<TransactioName>[^\"]*)\"

you can put it in Field extraction or in rex command

| rex "\{\"TransactionStatus\"\:(?<TransactionStatus>[^,]*),\"TransactioName\"\:\"(?<TransactioName>[^\"]*)\""

Test it at https://regex101.com/r/8Ff4ji/1

Bye.
Giuseppe

Re: How to use rex command to extract two fields and chart the count for both in one search query?

woodcock — Wed, 21 Jun 2017 14:34:21 GMT

Like this:

| makeresults 
| eval _raw="2017-06-21 12:53:48,426 INFO transaction.TransactionManager.Info:181 -{\"message\":{\"TransactionStatus\":true,\"TransactioName\":\"removeLockedUser-1498029828160\"}}"

| rename COMMENT AS "Everything above generates sample event data; everything below is your solution"

| rex "{\"TransactionStatus\":(?<TransactionStatus>[^,]*),\"TransactioName\":\"(?<TransactioName>[^\"]*)\""
| chart count OVER TransactioName BY TransactionStatus

SPECIAL NOTE: Are you sure there is not a missing n in your given text for TransactioName (this may have to be adjusted)?

Re: How to use rex command to extract two fields and chart the count for both in one search query?

anuarora — Thu, 22 Jun 2017 03:06:00 GMT

Thanks Mr. Woodcock. This saved me a lot of time.

Re: How to use rex command to extract two fields and chart the count for both in one search query?

horsefez — Thu, 22 Jun 2017 06:40:57 GMT

@woodcock
btw: Your syntax for "COMMENT" is not wrong, but there is a new one (since 6.5) you might find interesting.
http://docs.splunk.com/Documentation/Splunk/6.6.1/Search/Addcommentstosearches

Re: How to use rex command to extract two fields and chart the count for both in one search query?

woodcock — Fri, 08 Nov 2019 15:12:26 GMT

I like mine better. When the create a genuine comment command, not a macro, then I will switch.