topic Re: Field Extractor - extract digit from brackets in Splunk Search

Field Extractor - extract digit from brackets

darspla — Thu, 12 Aug 2021 06:59:01 GMT

Hi,
I would like to extract particular digit from brackets, index it as follows and based on that create stats hourly.
Each time is picking this up with bracket as a string.

This is service which is making entry every hour, once will recognize to add up will present digit , if not will be 0.
My goal would be to have stats from every hour on the graph to see how does it changes.

Re: Field Extractor - extract digit from brackets

gcusello — Thu, 12 Aug 2021 07:06:50 GMT

Hi @darspla,

you have to use a regex to extract the fields you need.

I could be more precise if you share two or three examples of your logs (in text format, not image),

Anyway try something like this:

| rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update"

Ciao.

Giuseppe

Re: Field Extractor - extract digit from brackets

darspla — Thu, 12 Aug 2021 07:22:26 GMT

Hi @gcusello ,

Thanks for quick reply.

2021-08-12 7:17:34.338 AM 2021-08-12 07:17:34,338+0200 Caesium-1-1 INFO ServiceRunner [c.a.c.d.xxx.cache.xxx] scanned and compared [ 9506 ] users to delete, [ 0 ] users to add, [ 378 ] users to update in DB cache in [ 1166ms ]

2021-08-12 06:17:34,305+0200 Caesium-1-1 INFO ServiceRunner [c.a.c.d.xxx.cache.xxx] scanned and compared [ 9506 ] users to delete, [ 0 ] users to add, [ 125 ] users to update in DB cache in [ 1129ms ]

Re: Field Extractor - extract digit from brackets

gcusello — Thu, 12 Aug 2021 07:33:37 GMT

Hi @darspla,

as you can see at https://regex101.com/r/hQylcj/1 the above regex is correct.

Ciao.

Giuseppe

Re: Field Extractor - extract digit from brackets

darspla — Thu, 12 Aug 2021 08:22:00 GMT

Hi @gcusello ,
Yes, works very nicely. Would you have any idea how to retrieve stats daily from action like below when :
"[36972 ] users to update "

[ 9216 ] users to delete, [ 2 ] users to add, [ 36972 ] users to update in DB cache in [ 6847ms ]

Retrieve data when is higher than '100' ?
Bit concern which graph to choose to make it readable for many people.

Re: Field Extractor - extract digit from brackets

gcusello — Thu, 12 Aug 2021 14:35:07 GMT

Hi @darspla,

I don't know your logs and your requirements.

I suppose that you could have a time distribution day by day or hour by hour, it depends on how frequently you receive the above logs.

So, if e.e. you receive the above logs once in a day, you could run something like this:

or something like this:

index=your_index | rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update" | bin span=1d _time | stats max(users_to_delete) AS users_to_delete max(users_to_add) AS users_to_add max(users_to_update) AS users_to_update BY _time

Ciao.

Giuseppe

Re: Field Extractor - extract digit from brackets

darspla — Fri, 13 Aug 2021 07:17:47 GMT

Thanks a lot @gcusello , that gave some vision. Modified in 2 other ways so fetched info needed.

Re: Field Extractor - extract digit from brackets

gcusello — Fri, 13 Aug 2021 07:32:00 GMT

Hi @darspla,

good for you, see next time.

If this answer solves your question, please, accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉