topic Re: how to use rex to extract two words ...from raw logs in Splunk Search

how to use rex to extract two words ...from raw logs

rajneeshdba — Thu, 17 Dec 2020 01:25:22 GMT

2020-12-17T01:21:44.690341+00:00 txn1.test-fdb-us-south-004 2020-12-17T01:21:44Z { "Severity": "10", "Time": "1608168104.425364", "Type": "MachineMetrics", "ID": "0000000000000000", "Elapsed": "5.00001", "MbpsSent": "2.59981", "MbpsReceived": "2.3487", "OutSegs": "12262", "RetransSegs": "0", "CPUSeconds": "0.111557", "TotalMemory": "67510792192", "CommittedMemory": "4303114240", "AvailableMemory": "63207677952", "ZoneID": "txn1", "MachineID": "txn1", "Machine": "10.95.111.226:4503", "LogGroup": "default", "Roles": "RV", "TrackLatestType": "Original" }

I came up with :

index=fdb sourcetype=* |eval (rex "^s(?<severity>[.]*)y$") as sev | stats count(eval(sev “40”)) as ERROR count(eval(sev “20”)) as WARN count(eval(sev “10")) as INFO by sourcetype

it doest work...

I want to. create a table or time chart. to list all he severity according to sourcetype.

Re: how to use rex to extract two words ...from raw logs

bowesmana — Thu, 17 Dec 2020 06:53:57 GMT

You're confusing rex and eval.

See this rex line and the stats line, which is what you want

| makeresults | eval sourcetype="test" | eval _raw="2020-12-17T01:21:44.690341+00:00 txn1.test-fdb-us-south-004 2020-12-17T01:21:44Z { \"Severity\": \"10\", \"Time\": \"1608168104.425364\", \"Type\": \"MachineMetrics\", \"ID\": \"0000000000000000\", \"Elapsed\": \"5.00001\", \"MbpsSent\": \"2.59981\", \"MbpsReceived\": \"2.3487\", \"OutSegs\": \"12262\", \"RetransSegs\": \"0\", \"CPUSeconds\": \"0.111557\", \"TotalMemory\": \"67510792192\", \"CommittedMemory\": \"4303114240\", \"AvailableMemory\": \"63207677952\", \"ZoneID\": \"txn1\", \"MachineID\": \"txn1\", \"Machine\": \"10.95.111.226:4503\", \"LogGroup\": \"default\", \"Roles\": \"RV\", \"TrackLatestType\": \"Original\" }" | rex "Severity[^\d]*(?<sev>\d+)" | stats count(eval(sev=40)) as ERROR count(eval(sev=20)) as WARN count(eval(sev=10)) as INFO by sourcetype