topic Re: How to add a column to a stats table using rex in Splunk Search

How to add a column to a stats table using rex

harshparikhxlrd — Thu, 31 Oct 2019 16:03:22 GMT

I'm fairly new to splunk and have just learned how to use the rex/regex. I am trying to add a column in my string search to a statistics table to display the name of the workstation. This is my current string.

Re: How to add a column to a stats table using rex

harshparikhxlrd — Thu, 31 Oct 2019 16:06:52 GMT

Adding to previous post:

Message=

Re: How to add a column to a stats table using rex

gcusello — Thu, 31 Oct 2019 16:30:30 GMT

Hi harshparikhxlrd
if the field you want i ComputerName, probably you already have because Splunk recognize by itself the pair field=value.
Anyway the regex to extract Computername is:

| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task"

that you can test at https://regex101.com/r/0n0rks/1

So your search will be (sorry I cannot rewrite your regex because I cannot see it, use Code Sample button to share regexes):

index=monitoring sourcetype=PEGA:WinEventLog:Application ( SourceName="RoboticLogging" OR SourceName="Application" ) ("Department=" "HRSS_STL") ("Type=" "Error") 
| rex "Message : (?.+.?)" 
| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task"
| stats count by ex 
| rename ex as Exception

Ciao.
Giuseppe

Re: How to add a column to a stats table using rex

gcusello — Mon, 04 Nov 2019 08:07:02 GMT

Hi harshparikhxlrd,
Try now:

index=monitoring sourcetype=PEGA:WinEventLog:Application ( SourceName="RoboticLogging" OR SourceName="Application" ) ("Department=" "HRSS_STL") ("Type=" "Error") 
| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task.*Message\=(?<Message>.*)"
| stats stats values(Message) As Message values(Computername) AS Computername count by ex 
| rename ex as Exception

That you can test at https://regex101.com/r/0n0rks/2 .

Ciao.
Giuseppe