https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418931#M120428 <P>Can you explain how the output of that search query you have so far does not match with what you want?</P> Tue, 03 Jul 2018 14:12:48 GMT FrankVl 2018-07-03T14:12:48Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418930#M120427 <P>Hi everyone,</P> <P>I'm looking to have this result: <BR /> <span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/5304i627FCE52EC4D37D7/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P>For that I have 2 lines in my file: </P> <UL> <LI><STRONG>Question</STRONG>: Service + IdTransaction</LI> <LI><STRONG>Response</STRONG>: Status + IdTransaction</LI> </UL> <P>Until now i can extract the different name of service and different codes but i don't know how to do the matching between them and to increment the result. </P> <PRE><CODE>| rex "(?&lt;Service&gt;CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)" | rex field=_raw "Tlv Dico : (?&lt;new&gt;.{22}.{27})?" | rex field=new "2004(?&lt;Status&gt;.{5})?" | stats count(TransactionId) by Service , Status </CODE></PRE> Tue, 03 Jul 2018 13:50:19 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418930#M120427 omarka 2018-07-03T13:50:19Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418931#M120428 <P>Can you explain how the output of that search query you have so far does not match with what you want?</P> Tue, 03 Jul 2018 14:12:48 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418931#M120428 FrankVl 2018-07-03T14:12:48Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418932#M120429 <P>Well, it tells me: No results found. </P> Tue, 03 Jul 2018 14:15:59 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418932#M120429 omarka 2018-07-03T14:15:59Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418933#M120430 <P>Are you running just that specific search? Because I would expect there needs to be something before that, to actually search some data (ie index=foo sourcetype=bar).</P> <P>Also: that TransactionId field, does that exist and contain data?</P> Tue, 03 Jul 2018 14:18:44 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418933#M120430 FrankVl 2018-07-03T14:18:44Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418934#M120431 <P>@omarka if you can add some masked/anonymized sample events, it would be easier for the community members to help you with regex as it would be strictly dependent on your data.</P> Tue, 03 Jul 2018 14:29:44 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418934#M120431 niketn 2018-07-03T14:29:44Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418935#M120432 <P>No i'm running this search : <CODE>(host=g5d66999 OR g5d66956) <BR /> Logger=srvca TLV | rex "(?CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)" <BR /> | rex field=_raw "Tlv Dico : (?.{22}.{27})?"<BR /> | rex field=new "2004(?.{5})?"<BR /> | stats count(TransactionId) by Service , Status</CODE><BR /> And yes TransactionID contains data</P> Tue, 03 Jul 2018 14:30:00 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418935#M120432 omarka 2018-07-03T14:30:00Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418936#M120433 <P>TransactionID or TransactionId? Field names are case sensitive!</P> Tue, 03 Jul 2018 14:32:41 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418936#M120433 FrankVl 2018-07-03T14:32:41Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418937#M120434 <P>Yes it is exactly TransactionId</P> Tue, 03 Jul 2018 14:39:03 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418937#M120434 omarka 2018-07-03T14:39:03Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418938#M120435 <P>I'll explain how it works and what i want.<BR /> I have 2 lines containing each one "TransactionId" &amp; "Service" and "TransactionId" &amp; "Status", so when we find </P> <UL> <LI>401 as TransactionId and CONSULT as Service</LI> <LI>401 as TransactionId and 000000 as Status</LI> </UL> <P>So (for example) this is the first line in results, if we find </P> <UL> <LI>453 as TransactionId and CONSULT as Service</LI> <LI>453 as TransactionId and 000000 as Status</LI> </UL> <P>It will increment the first line as shown in the table at the top and so on ...</P> Tue, 03 Jul 2018 15:05:35 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418938#M120435 omarka 2018-07-03T15:05:35Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418939#M120436 <P>You are getting no results because there is no event with both a <CODE>Status</CODE> and a <CODE>TransactionId</CODE>. You need to roll together your two events into a single event per <CODE>TransactionId</CODE>.</P> <P>Try this... </P> <PRE><CODE> your base search | rex "(?&lt;Service&gt;CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)" | rex field=_raw "Tlv Dico : (?&lt;new&gt;.{22}.{27})?" | rex field=new "2004(?&lt;Status&gt;.{5})?" | stats values(Service) as Service values(Status) as Status by TransactionId | stats count(TransactionId) by Service , Status </CODE></PRE> Tue, 03 Jul 2018 15:15:23 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418939#M120436 DalJeanis 2018-07-03T15:15:23Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418940#M120437 <P>Thank you @DalJeanis for your answer. <BR /> However, i want to know if it's possible to switch or transpose this values by having something like that:</P> <P>Service 00000 02040 06570<BR /> CONSULT 1650 150 15</P> Tue, 03 Jul 2018 15:44:42 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418940#M120437 omarka 2018-07-03T15:44:42Z https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418941#M120438 <P>@omarka -</P> <P>Assuming your columns are values of <CODE>Status</CODE>, then you are looking for the <CODE>chart</CODE> command. Replace the final <CODE>stats</CODE> with... </P> <PRE><CODE>| chart count(TransactionId) by Service, Status </CODE></PRE> <P>More detail on how to use it here - </P> <P><A href="http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Chart">http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Chart</A></P> Tue, 03 Jul 2018 17:17:23 GMT https://community.splunk.com/t5/Splunk-Search/In-field-extraction-how-to-do-the-matching-between-them-and/m-p/418941#M120438 DalJeanis 2018-07-03T17:17:23Z