topic regarding Search in Splunk Search

regarding Search

rajgowd1 — Tue, 29 Sep 2020 12:14:28 GMT

HI,
we have log which has some key value pairs and one of the key is instance which has values like 0,1,2
when ever there is an issue,application logs displays instance 0 crashed,instance 0 STARTED instance 1 STOPPED

i am trying to display in scatter chart in x-axis time and in Y-Axis status like UPDATE,CRASHED,STARTED or STOPPED

here is the search i am trying with table but how can we show them in scatter

when i try to display in table with below search,for last column newmsg always displays UPDATE for all

here is the sample log

<6>2017-01-01T05:59:42Z 2ejoqs8tf0q doppler[20]: {"appid":"beaffaf8-28d8-4d2b-959b-c71a7547283f","appname":"demo-prod",
"ignoredapp":false,"orgid":"55c398bc-86d0-4443-ad97-1711fe264638","orgname":"LATAM-MX-DIGITAL","cf_origin":"firehose",
"space_id":"51e0484a-d642-4f37-b979-d40336913f8f","env":"CC-PORTAL-UAT3","deployment":"cf","event_type":"LogMessage",
"ip":"168.72.205.40","job":"cloud_controller-partition-a2833c853cfafee70104","job_index":"2","level":"info","messtype":"OUT",
"msg":"App instance exited with guid beaffaf8-28d8-4d2b-959b-c71a7547283f payload: {\"instance\"=\u003e\"d0bfa02d-43d8-439c-7d4b-d29cb9e13835\",
\"index\"=\u003e0, \"reason\"=\u003e\"CRASHED\", \"exit_description\"=\u003e\"2 error(s) occurred:\n\n* 2 error(s) occurred:\n\n* Codependent
step exited\n* cancelled\n* cancelled\", \"crash_count\"=\u003e134, \"crash_timestamp\"=\u003e1483250382557858527,
\"version\"=\u003e\"7e7e8a62-a249-4608-a69b-d55daf3947c6\"}","origin":"cloud_controller","source_instance":"2","source_type":"API",
"time":"2017-01-01T05:59:42Z","timestamp":1483250382577570779}

Re: regarding Search

niketn — Mon, 02 Jan 2017 07:49:53 GMT

You would need to reconsider your regular expression for field extraction. Assuming msg field contains the reason information that you want to extract:

<Your Base Search>
| rex field=msg "reason\\\"\=\\(?<reasonCode>\w+)\\\"(?<newmsg>\w+)\\\"\," 
| table appname, time, source_instance, msg, newmsg 
| sort appname, time, source_instance, newmsg

If msg field does not have the reason as expected, you can replace msg with _raw i.e.

| rex field=_raw "reason\\\"\=\\(?<reasonCode>\w+)\\\"(?<newmsg>\w+)\\\"\,"

PS: Ideal you should move this to Field Extraction using Extract New Fields in Splunk Search or through Props.conf, once you have established that the regular expression is working as expected. For quick hints/testing regular expressions you can try regex101.

Re: regarding Search

rajgowd1 — Mon, 02 Jan 2017 17:00:34 GMT

Hi,
it throwing error when i replace the regular expression

| rex field=_raw "reason\\"=\(?\w+)\\"(?\w+)\\"\,"

Error in 'rex' command: Encountered the following error while compiling the regex 'reason\"=(?\w+)\"(?\w+)\"\,': Regex: unmatched parentheses

and i would like to show them in scatter graph,which i explained in my question.

Re: regarding Search

rajgowd1 — Mon, 02 Jan 2017 19:09:57 GMT

i tried this search and got result with different states

eval newmsg="UPDATE" | rex field=_raw "(?CRASHED|STARTED|STOPPED)"

how can we show this scatter chart or in D3

x-axis as time and
y-axis as CRASHED,STARTED,STOPPED or UPDATE

Re: regarding Search

rajgowd1 — Mon, 02 Jan 2017 20:50:47 GMT