topic Re: How can I get the top products in the following events? in Splunk Search

How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 11:10:11 GMT

My events looks like following with last 8 digits are the item no

2014-11-28 00:10:21.446 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018266928 is not cartonable because of packing rule is defined for item WaPMxJNx.

2014-11-28 00:10:21.435 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018267047 is not cartonable because of packing rule is defined for item eFrNP/Ry.

My base search is
"is not cartonable"

so aim is to get all events which container "is not cartonable" and get either the count of products or top products out of those events

Re: How can I get the top products in the following events?

kml_uvce — Fri, 19 Dec 2014 11:25:26 GMT

try this
your search|rex field=_raw ".is not cartonable.(?<item>\d{8})."|chart count by item

Re: How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 11:52:11 GMT

Thanks kml_uvce:
I did in search the following as you said

is not cartonable|rex field=_raw ".is not cartonable.(?d{8})"|chart count by item

but i get an error
Error in 'rex' command: Encountered the following error while compiling the regex '.is not cartonable.(?d{8})': Regex: unrecognized character after (? or (?-

Re: How can I get the top products in the following events?

kml_uvce — Fri, 19 Dec 2014 11:54:38 GMT

its printing problem put "*" after both "." and "backslash" before d

Re: How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 11:59:59 GMT

Thanks for helping, now i get this error
Error in 'rex' command: Encountered the following error while compiling the regex '.is not cartonable.(?\d{8})': Regex: nothing to repeat

does that mean there is nothing duplicate item??

Re: How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 12:00:41 GMT

sorry I am really new to splunk

Re: How can I get the top products in the following events?

kml_uvce — Fri, 19 Dec 2014 12:02:22 GMT

there are printing problem , i changed ans. above and you can put "*" after both "." and "backslash" before d

Re: How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 12:08:36 GMT

My search is now
is not cartonable|rex field=_raw ".is not cartonable.(?\d{8})"|chart count by item

I get an error

Error in 'rex' command: Encountered the following error while compiling the regex '.is not cartonable.(?\d{8})': Regex: unrecognized character after (? or (?-

I think its not recognizing "\"

Re: How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 12:09:39 GMT

I did put "*" after each "." as well

Re: How can I get the top products in the following events?

kml_uvce — Fri, 19 Dec 2014 12:13:30 GMT

have you put backslash before d?
and also pls see new changes in above query

Re: How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 12:22:03 GMT

yes i have changed the query and added "*" and "backslash" as you said

is not cartonable|rex field=_raw ".is not cartonable.(?\d{8})"|chart count by item

Its not in error now but showing
Item count
true 18

Re: How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 12:28:05 GMT

i think search for events should be
"packing rule is defined"
do i need to change anything in rex query ?

Re: How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 12:31:09 GMT

Events with "packing rule is defined" are
like

2014-11-28 00:10:21.446 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018266928 is not cartonable because of packing rule is defined for item WaPMxJNx.

2014-11-28 00:10:21.435 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018267047 is not cartonable because of packing rule is defined for item eFrNP/Ry.

2014-11-28 00:10:21.422 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018273230 is not cartonable because of packing rule is defined for item T1C3nrEz.

2014-11-28 00:10:21.415 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018274966 is not cartonable because of packing rule is defined for item tkP3KYwu.

2014-11-28 00:10:21.412 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018267099 is not cartonable because of packing rule is defined for item FWjgQ7Vy.

2014-11-28 00:10:21.411 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018273217 is not cartonable because of packing rule is defined for item McEbo7ry.

2014-11-28 00:10:21.390 INFO 10.86.66.147 KiCartonableFlagOperator Order 00000000000018274953 is not cartonable because of packing rule is defined for item 7o11ZiQx.

Re: How can I get the top products in the following events?

kml_uvce — Fri, 19 Dec 2014 12:33:05 GMT

see i think its coming because of there is . in the end there is some printing prob so we r facing issue ,you can use another method ,search
"your search" "is not cartonable" and then extract field item http://docs.splunk.com/Documentation/Splunk/6.2.0/Knowledge/ExtractfieldsinteractivelywithIFX
and then
"your search" "is not cartonable"|chart count by item

Re: How can I get the top products in the following events?

kml_uvce — Fri, 19 Dec 2014 12:40:36 GMT

you can use rex also and replace d with w in query . i thought its 8 digit as you mentioned earlier but its character.

Re: How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 12:44:41 GMT

Thanks a lot, I have tried field extraction and it worked perfectly

Re: How can I get the top products in the following events?

ansbilal — Fri, 19 Dec 2014 12:48:05 GMT

also worked with replacing d with w