topic Re: How to right regular expression for finding field value app=Center realm. ? in Splunk Search

How to right regular expression for finding field value app=Center realm. ?

moiezuddin — Tue, 07 Apr 2015 15:23:49 GMT

Hi when i searched with the below query

index=casm_prod sourcetype=smtrace ........REGULAR EXP.....................

Please help me to right regular expression for finding the application value app=Center realm

By default it is not showing exanmple index=casm_prod sourcetype=smtrace app=Center realm

so we need to right regular expression to show the result

kindly help on it

Re: How to right regular expression for finding field value app=Center realm. ?

richgalloway — Tue, 07 Apr 2015 15:59:19 GMT

Please post some sample data.

Re: How to right regular expression for finding field value app=Center realm. ?

tachifelix — Wed, 08 Apr 2015 08:30:58 GMT

to make sure that app=center realm in your data run this search : index=casm_prod sourcetype=smtrace |search "Center realm"

Re: How to right regular expression for finding field value app=Center realm. ?

tachifelix — Wed, 08 Apr 2015 08:36:55 GMT

then post a sample event of the result

Re: How to right regular expression for finding field value app=Center realm. ?

Richfez — Wed, 08 Apr 2015 17:25:16 GMT

moiezuddin, I am not sure I'm interpreting the request, but I see two possibilities.

1) "Center realm"

we can see that "Center realm" is definitely in at least some search results given your posts/replies to tachifelix. If you need to filter only on those, there is no harm in avoiding the "app=" portion and just searching for "Center realm" as your search string (in other words use index=casm_prod sourcetype=smtrace "Center realm" instead of index=casm_prod sourcetype=smtrace app="Center realm")

But I don't think that's what you are after. I think instead, you want:

2) app="Center realm"

I think you are trying to "define" app to be "center realm" when it's like the second set of logs. For this, you'll want to create a field extraction. You give a line format like so: [04/08/2015][06:13:13.893][498011056][s46597300/r12][Center realm].... Now, I'm no wizard, but you could brute force something like creating a field out of the 4th set of "stuff" in square brackets (starts at index 0, not 1, hence 4th, not 5th). There are regex ways to do it, too.

index=casm_prod sourcetype=smtrace  
| makemv tokenizer="\[(.*?)\]" _raw
| eval app=mvindex(mystring,4)

Now, I'm not sure how that work given your other search results, but if it's like most things in Splunk the above commands will ignore lines that don't fit the [stuff1][stuff2],... format of these lines. I'm also not positive I have it all right, you may need the 3rd, 5th, or some other field out of that.

That should let "app=blah" work fine when it's in the url string (where splunk already knows this field) and when the line matches the format of the set you gave above, then it should add app="Center realm" as a field.

Give that a try and see how it goes.

Re: How to right regular expression for finding field value app=Center realm. ?

Richfez — Wed, 08 Apr 2015 17:36:12 GMT

By the way, if you want to use the other values, I'd use a rex probably. I'm making it up, but if you wanted to break on square brackets, something like...

index=casm_prod sourcetype=smtrace | rex "\[(?<mydate>[^]]+)\]\[(?<mytime>[^]]+)\]\[(?<somefield1>[^]]+)\]\[(?<somefield2>[^]]+)\]\[(?<app>[^]]+)\]"

That you can extend it by copying/pasting each part and renaming the field. \[(?[^]]+)\] is one piece. 🙂

Re: How to right regular expression for finding field value app=Center realm. ?

Richfez — Wed, 08 Apr 2015 17:38:00 GMT

I think the inline version of the code (the little piece) ate my angled brackets and what was inside it (right after the question mark). You can probably figure it out. If you have specific problems, ask again with a few sample lines and what does/is and does not/is not working.

Re: How to right regular expression for finding field value app=Center realm. ?

moiezuddin — Mon, 28 Sep 2020 19:27:27 GMT

thanks rich, for your brief explanation.

i got the result with the below search query

index=casm_prod sourcetype=smtrace "Center realm" | bucket _time span=1m |stats count(sso_id) as eventcount by _time, sso_id

thanks alot