topic Re: help to build the query using abstract command in Splunk Search

help to build the query using abstract command

logloganathan — Tue, 29 Sep 2020 18:36:47 GMT

base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value

this query displaying 5 lines but want only the first lines

how to get using abstract maxlines=1

Re: help to build the query using abstract command

richgalloway — Wed, 21 Mar 2018 12:59:36 GMT

Try

base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value | head 1

Re: help to build the query using abstract command

logloganathan — Wed, 21 Mar 2018 13:04:07 GMT

it wont work..it provide table with one result

Re: help to build the query using abstract command

richgalloway — Wed, 21 Mar 2018 14:04:42 GMT

Isn't that what you asked for? ("want only the first lines") If you want more than one line, change the "1" to the desired number.

If it's something else you seek, please clarify the question.

Re: help to build the query using abstract command

logloganathan — Tue, 29 Sep 2020 18:37:30 GMT

Actually i have regular expression and displaying the value
that value have 5 lines. i want to reduce that using the abstract command
how to do that

base query | regex field= "XXX*(?.*)" | stats count by regular_expression_value

regular_expression_value count
5 lines 4
3 lines 8

Re: help to build the query using abstract command

richgalloway — Thu, 22 Mar 2018 14:04:53 GMT

The abstract command is for text, not stats.

Re: help to build the query using abstract command

logloganathan — Thu, 22 Mar 2018 14:13:01 GMT

Could you please modify the same command without stats and substitute abstract

Re: help to build the query using abstract command

richgalloway — Fri, 23 Mar 2018 14:03:28 GMT

base query | regex field= "XXX*(?.*)" | abstract maxlines=1

Re: help to build the query using abstract command

logloganathan — Fri, 23 Mar 2018 14:39:44 GMT

what will it do?
it not providing the answer i expected

Re: help to build the query using abstract command

richgalloway — Tue, 27 Mar 2018 12:47:11 GMT

What answer are you expecting? What exactly are you trying to do? You insist on using abstract, but perhaps that is not the way to accomplish your goal.

Re: help to build the query using abstract command

logloganathan — Tue, 27 Mar 2018 13:05:21 GMT

Hi,

actually i have regular expression..it having 5 lines value.
i want one line using abstract.
is it possible to do?
Could you please help me in this request.

Re: help to build the query using abstract command

p_gurav — Tue, 27 Mar 2018 13:19:30 GMT

Can you try :

base query | regex field= "XXX*(?.{10}).*\n" OR  base query | regex field= "XXX*(?[^\n\r]+)"

Re: help to build the query using abstract command

logloganathan — Tue, 27 Mar 2018 13:39:57 GMT

is it possible to do the same with abstract command?

Re: help to build the query using abstract command

richgalloway — Wed, 28 Mar 2018 13:27:19 GMT

It's still not clear to me what your goal is. You've re-stated the original request and not added any clarification. I've done all I can do with what you've provided so far.

Re: help to build the query using abstract command

logloganathan — Wed, 28 Mar 2018 13:32:49 GMT

Thanks for your help
i think we can't combine abstract command and regex.

Re: help to build the query using abstract command

niketn — Wed, 28 Mar 2018 16:37:33 GMT

@logloganathan, based on your description so far seems like you want your regular expression to return result only from first line of an event. The .* Regular Expression by default stops at a line break which should do it. You are focused on abstract and rex command however, even if feasible that might not be right way at all. We would not be able assist you properly unless you provide further detail of what regular expression you have used and provide some mocked up anonymized data.

What do you mean by regular expression..it having 5 lines value? It can either be raw event with data across 5 lines or Regular Expression based extraction that fetches 5 lines instead of 1.

Whether it is _raw event with 5 lines or Regular Expression fetching 5 lines, you can adjust your Regular Expression to fetch only the first line (which would be ideal way).

Although I have taken an example for Splunk's _internal log which is always 1 line but you can try with your base search instead along with your own regex:

index=_internal sourcetype=splunkd
| abstract maxlines=1
| rex "^([^\s]+)\s([^\s]+)\s([^\s]+)\s(?<logLevel>[^\s]+)\s"
| table logLevel _raw

Re: help to build the query using abstract command

logloganathan — Thu, 29 Mar 2018 08:23:09 GMT

This is one i need. Thanks for your help!!
very helpful Nikenilay!! Thanks Again

Re: help to build the query using abstract command

niketn — Thu, 29 Mar 2018 09:50:23 GMT

@logloganathan, I am glad it worked. However, like I said, you should ideally be able to handle directly in rex command without having to use abstract command which is working for you but is actually just an overhead.