topic Re: How to extract a keyword from a log and create a chart based on the count of this field? in Splunk Search

How to extract a keyword from a log and create a chart based on the count of this field?

raindrop2 — Mon, 15 Sep 2014 22:01:03 GMT

I am trying to extract the DENY keyword from the log, and then create a chart based on this field count.

"2014-06-15 21:29:51" Junior id=test3@test.com,ou=user,o=test,ou=services,dc=test,dc=rock,dc=org 726c434d6024d0a706 "Not Available" INFO o=test,ou=services,dc=test,dc=rock,dc=org "cn=dsameuser,ou=DSAME Users,dc=openam,dc=forgerock,dc=org" DENY ourusers.access "Not Available" 10.0.0.1

Re: How to extract a keyword from a log and create a chart based on the count of this field?

kristian_kolb — Mon, 15 Sep 2014 22:19:05 GMT

It depends on how you want to chart it, and what other events look like. Your original request can be satisfied with something like;

sourcetype=your_sourcetype " DENY " | timechart span=1h count

I.e. not extracting the field at all, but just searching for events that have the matching string, and then use a timechart to show them over.. time.

Re: How to extract a keyword from a log and create a chart based on the count of this field?

raindrop2 — Mon, 15 Sep 2014 22:21:56 GMT

" I have "Permit" "Deny" "NA" variables, so i want on the chart to show me " how many permit,denay or na. thanks for your help ...

Re: How to extract a keyword from a log and create a chart based on the count of this field?

kristian_kolb — Tue, 16 Sep 2014 05:55:02 GMT

Since we still don't know how the other events look like, it'll be hard to give very precise advice. However, if the keyword you're after is either "PERMIT", "DENY" or "NA" (without the quotes), and these strings do not appear otherwise in your events, you could try;

props.conf
[your sourcetype]
EXTRACT-blah = \s(?(PERMIT|DENY|NA))\s

or if the position of the keyword is fixed, you can try to anchor your regex towards the end of the line;

props.conf
[your sourcetype]
EXTRACT-bleh = (?\S+)\s+\S+\s+\"[^\"]+\"\s+[\d.]+$

These are just some of the options available. With more information and sample events, you'll be able to get better help.

Re: How to extract a keyword from a log and create a chart based on the count of this field?

raindrop2 — Tue, 16 Sep 2014 15:34:32 GMT

thanks much for your response, I don't have permission to modify props.conf. so i have to figure out to get string to extract this keyword. The logs are the same format the only variable the status either (Permit Deny NA)