topic Re: Help combining 2 searches in Splunk Search

Help combining 2 searches

apalen — Thu, 15 May 2014 17:31:06 GMT

I am attempting to do this search:
host = pesweb* "payment via manually entered card" | stats count by users
My data looks like:
2014-05-15 13:20:08,728 INFO [resin-port-foo port pdeur: foo port invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java) - payment via manually entered card: user/amt/invoice = pdeur/foo123

The bold is the user id associated to these event, but when i attempt the above search it doesn't detect that as a user id.

My questions is how may i make it do so? Should i use some type of field extract? My end gold is to be able to see which user's are doing this method and allow our customer support team to reach out to these customers and see why they are entering this information manually.

Thanks in advance splunk community!

Re: Help combining 2 searches

somesoni2 — Thu, 15 May 2014 17:38:30 GMT

You will have to create field extract/use rex command to retrieve field 'user', as its not in Splunk's standard format (key-value pair).

Re: Help combining 2 searches

apalen — Thu, 15 May 2014 17:56:45 GMT

I was afraid of this. My regex is pretty weak. If anyone in the community is a regex pro, with a few minutes i would greatly appreciated any directions on this regex to produce the results I'm looking for.

As always thanks in advance splunk community!

Re: Help combining 2 searches

somesoni2 — Thu, 15 May 2014 18:00:50 GMT

You can use Splunk's inbuild Field Extractor for the same. (In event view of the data, click on small triangle on the left of event [Event options menu] and select 'Extract fields'. provide example values and click on generate. You can save the field extraction from there as well)

http://docs.splunk.com/Documentation/Splunk/6.1.1/Knowledge/ExtractfieldsinteractivelywithIFX

Re: Help combining 2 searches

somesoni2 — Thu, 15 May 2014 18:06:53 GMT

Or provide some more sample events (to cover all possibilities) and Splunkers can help you will regex.

Re: Help combining 2 searches

apalen — Fri, 16 May 2014 16:17:55 GMT

Here is a snippet of our logs, i have scrubed some of the data
2014-05-16 11:01:51,065 INFO [ foo:10598 aaaJQk5ZSIo446szyJfyu ENC11945241] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = foo/2925/11945241
2014-05-16 11:01:25,165 INFO [ ] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = null/27155/11951016

Re: Help combining 2 searches

apalen — Fri, 16 May 2014 16:18:45 GMT

[foo123:10095 aaaZ5kH3likxE8fFvwfyu ENC11950841] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = foo123/2681/11950841

[foo:2513 aaaVBhyhrcPFc5cFUGfyu ENC11950843] invoice.AcquireInvoiceLifeCycleManager (AcquireInvoiceLifeCycleManager.java:1671) - payment via manually entered card: user/amt/invoice = foo/5000/11950843

Re: Help combining 2 searches

apalen — Fri, 16 May 2014 16:19:41 GMT

user id's can be a combination of alphanumeric values between 3 and 10 digits.

Re: Help combining 2 searches

somesoni2 — Fri, 16 May 2014 18:13:31 GMT

And the user Id in these logs is "11950843","11950841" etc OR "ENC11950843","ENC11950841"?

Re: Help combining 2 searches

MuS — Fri, 16 May 2014 18:14:47 GMT

Hi apalen,

based on your provided examples, try something like this:

 your base search here | rex field="_raw" "user/amt/invoice\s=\s(?<myUser>[\w\d]{3,10})" | table myUser

this will create a new field named myUser if this matches your needs you can use this as automatic field extraction.

hope this helps ...

cheers, MuS

Re: Help combining 2 searches

apalen — Fri, 16 May 2014 18:15:53 GMT

oh sorry, the user id's are tag at the beginning and end.

foo
foo123

Re: Help combining 2 searches

apalen — Fri, 16 May 2014 18:18:01 GMT

Thanks MuS, I will try this!