topic Re: Field extraction in Splunk Search

Field extraction

marina_rovira — Thu, 20 Aug 2020 09:49:10 GMT

Hello all,

I'm having issues achieving to extract fields from a sample in Splunk.

I went to "extract fields", I have the first one, but I don't know how to continue.

Here the sample:

[{"Type":"Attention","ABUSE":18,"GSD 24x7":1,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":17,"Total":36},{"Type":"Active","ABUSE":0,"GSD 24x7":22,"CLOUD":38,"DC":5,"ECL":1,"ITMS":0,"NET":12,"RFO":2,"Total":80},{"Type":"Total","ABUSE":18,"GSD 24x7":23,"CLOUD":38,"DC":5,"ECL":1,"ITMS":0,"NET":12,"RFO":19,"Total":116},{"Type":"P1","ABUSE":0,"GSD 24x7":0,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":6,"Total":6},{"Type":"P2","ABUSE":0,"GSD 24x7":1,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":10,"Total":11},{"Type":"P3\/4","ABUSE":18,"GSD 24x7":0,"CLOUD":0,"DC":0,"ECL":0,"ITMS":0,"NET":0,"RFO":1,"Total":19}]

From that, I would like to be able to calculate averages and sums up from the number, having two fields:

- Team. Values: ABUSE, CLOUD, GSD 24x7, NET, RFO...

- Type: Attention, Active...

with this in the search

| rex max_match=0 "(?<Type>((\.*:\")\w+))"|

I got the Type, but no idea on how to proceed.

Any ideas?

Thank you all in advance.

Re: Field extraction

Nisha18789 — Thu, 20 Aug 2020 10:04:19 GMT

hi @marina_rovira , add another rex for extracting team with mutivalues like

Team. Values: ABUSE, CLOUD, GSD 24x7, NET, RFO...

|rex max_match=0 "\"(?<team>.[\w\s]+)\":([0-9]|[0-9]+),"

Hope this helps!

Please upvote my response, if it resolves the issue.

Re: Field extraction

isoutamo — Thu, 20 Aug 2020 11:45:24 GMT

as your data seems to be valid JSON it's easiest to handle that way.

index=_internal | head 1 | eval _raw = "[{\"Type\":\"Attention\",\"ABUSE\":18,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":17,\"Total\":36},{\"Type\":\"Active\",\"ABUSE\":0,\"GSD 24x7\":22,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":2,\"Total\":80},{\"Type\":\"Total\",\"ABUSE\":18,\"GSD 24x7\":23,\"CLOUD\":38,\"DC\":5,\"ECL\":1,\"ITMS\":0,\"NET\":12,\"RFO\":19,\"Total\":116},{\"Type\":\"P1\",\"ABUSE\":0,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":6,\"Total\":6},{\"Type\":\"P2\",\"ABUSE\":0,\"GSD 24x7\":1,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":10,\"Total\":11},{\"Type\":\"P3\/4\",\"ABUSE\":18,\"GSD 24x7\":0,\"CLOUD\":0,\"DC\":0,\"ECL\":0,\"ITMS\":0,\"NET\":0,\"RFO\":1,\"Total\":19}]" | rename COMMENTS AS "Previous lines generate your sample data, you get it by indes=xxx" | spath | rename {}.* as json_* | table json_*

Unfortunately I'm not getting up what/how you want to calculate those values.

r. Ismo

Re: Field extraction

marina_rovira — Thu, 20 Aug 2020 13:25:39 GMT

Hi,

Thanks a lot, it looks like a table now! 🙂

This json gets data every 12 hours. What I pretend to do is to perform some stats about the difference between the one I got the last 12 hours to check difference and how the shifts are performing.

Does it makes sense? I was thinking about to send alerts by e-mail with the stats. But not sure about how I can calculate the stats.

Re: Field extraction

isoutamo — Thu, 20 Aug 2020 13:55:08 GMT

Just ensure that you have _time to your data and then it should be work.

r. Ismo

Re: Field extraction

marina_rovira — Wed, 02 Sep 2020 15:17:56 GMT

Hi,

It's working perfectly, thanks a lot!

What I was thinking to calculate with this.... This numbers are numbers coming before and after every shift. The simplest calculation to do should be to know the difference between the starting and ending shift. However, I've realized that this won't be that easy. Do you have any idea? If not, I will say no possible to do, I've been request this as an improvement but the main thing is working already.

Thank you!

Re: Field extraction

isoutamo — Wed, 02 Sep 2020 15:49:43 GMT

As this is a new requirement, could you create a new question for it wit descriptive title? It’s much easier to found and help other people in community later on.