topic Re: Creating charts and Regex in Splunk Search

Creating charts and Regex

jigneshjsoni71 — Mon, 08 Sep 2014 15:59:18 GMT

I am using Splunk for first time and have been given following task

Create a document on the different kinds of charts and corresponding regular expressions.

Based on,

1. Month on month

2. Year on year

3. Week over week

4. Day of week

I have no idea, what these charts are and how to create them. There is no one in team, who knows about Splunk. Can someone please throw some light on how to do this ?

I know, how to create Perl regex.

Thanks

Re: Creating charts and Regex

kml_uvce — Mon, 08 Sep 2014 16:07:06 GMT

you need to index data first in an index.
then u can write search
index=|| timechart span= by

see the doc:
for regex
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Rex
http://docs.splunk.com/Documentation/Splunk/6.1.3/Knowledge/AboutSplunkregularexpressions

for timechart:
http://docs.splunk.com/Documentation/Splunk/6.1.3/SearchReference/Timechart

Re: Creating charts and Regex

aweitzman — Mon, 08 Sep 2014 16:10:37 GMT

There is not enough information to be able to help you with an answer.

First, please provide some sample data, and then describe in more detail what information out of it you want to graph. If you "have no idea" what I'm asking, then you should go back to the person who assigned you this task and ask them what it means.

Second, you'll likely be using Splunk's time-related commands and functions to generate charts, not regex. Regex is used in Splunk primarily to extract data into fields.

This might also help:

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart

Re: Creating charts and Regex

jigneshjsoni71 — Mon, 08 Sep 2014 20:20:57 GMT

If I want to find events for Sept 9, 2014, how do I provide that command ?

I am using host=e2pswer sourcetype=syslog | date_hour=Sep 8 2014

This gives an error message unknown command date

host=e2pswer sourcetype=syslog | stats count by date_hour

This gives "No results found" error

So please guide me how to find events for specified host and sourcetype for a specified date

Re: Creating charts and Regex

aweitzman — Mon, 08 Sep 2014 20:29:37 GMT

In your first search, you don't really want a pipe there, and you don't want to test an hour value against a date string. (And even if you did, the date string would need to be in quotes.)

For your second search, are you sure you have your date chooser set to "All Time"? What happens when you just do this:

host=e2pswer sourcetype=syslog

Do you get any results? If so, what happens when you change the date chooser to just use September 8, 2014?

Re: Creating charts and Regex

aweitzman — Mon, 08 Sep 2014 20:31:18 GMT

date_hour is a value that represents the numerical hour that the event happened in. So stats count by date_hour would give you a chart where one column has the values 0-23, and the other column would have counts of events from those hours. I don't think that's what you're going for here.

Re: Creating charts and Regex

jigneshjsoni71 — Mon, 08 Sep 2014 20:37:34 GMT

As I explained in previous post, how can I get events for today's date ?

How do I provide command for that ?

What I am showing here is what I tried and did not work. Please let me know, how to use cmd to get events for a date.
Thanks

Re: Creating charts and Regex

jigneshjsoni71 — Mon, 28 Sep 2020 17:31:23 GMT

When I write host=e2pswer sourcetype=syslog | fields-date_hour

search command is implied. So does it mean

does it mean search(host=e2pswer sourcetype=syslog) | fields-date_hour

Thanks

Re: Creating charts and Regex

jigneshjsoni71 — Mon, 08 Sep 2014 20:43:48 GMT

index=|| timechart span= by

I am confused with this syntax. Please provide a sample from where I can build.

Thanks

Re: Creating charts and Regex

jigneshjsoni71 — Mon, 08 Sep 2014 20:53:17 GMT

I dont see syntax for index anywhere in manual. So when I write host, sourcetype, does it mean its an index ?

host=e2pswer, is it an index, where host means index and e2pswer means name for this index ?

Re: Creating charts and Regex

aweitzman — Mon, 08 Sep 2014 20:54:03 GMT

If you want to include it on the search bar for a search for just today's events, do something like this:

host=e2pswer sourcetype=syslog earliest=+0@d

See http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/SearchTimeModifiers for how to add time modifiers to your searches.

Re: Creating charts and Regex

aweitzman — Mon, 08 Sep 2014 20:55:49 GMT

For events on other days, do something like this (for September 4, say):

host=e2pswer sourcetype=syslog earliest=9/4/2014:0:0:0 latest=9/5/2014:0:0:0

Re: Creating charts and Regex

jigneshjsoni71 — Mon, 08 Sep 2014 20:59:56 GMT

Thanks for reply. But when i am using this syntax with earliest, it gives "No results found" and when I use without earliest, I am getting plethora of events.
When do I need to use | ? How come is it not required after host OR sourcetype ?

Thanks

Re: Creating charts and Regex

aweitzman — Mon, 08 Sep 2014 21:07:59 GMT

You need to use the pipe when you want to transform a result set, by doing stats, table, timechart, or some other transformation. It's not required after your host or sourcetype clauses because the time modifiers are terms to filter your initial results. You're not yet transforming the result set.

As for why you don't get results with earliest, I can't say. The obvious question is, are there actual events on that day? What happens when, instead of adding the earliest term to your search, you leave it off and instead use the time chooser on the search bar to filter your results?

Re: Creating charts and Regex

aweitzman — Mon, 08 Sep 2014 21:14:30 GMT

If you are asking questions about things like index, host and sourcetype I would highly recommend going through the tutorial documentation:

http://docs.splunk.com/Documentation/Splunk/latest/SearchTutorial/WelcometotheSearchTutorial