topic Re: How to edit my search to find the total count for three different actions? in Splunk Search

How to edit my search to find the total count for three different actions?

splunkman341 — Tue, 07 Jul 2015 16:39:17 GMT

Hi guys,

I wanted to know how I would go about getting the total count for each document action over the past 30 days. The document actions are as follows:

BROWSE DOCUMENTS

Re: How to edit my search to find the total count for three different actions?

bmacias84 — Tue, 07 Jul 2015 16:48:11 GMT

@splunkman341, If you simply looking for a regex that will extract document action the following will work.

...| rex field=_raw "EmployeeDocumentServicesImpl\.(?<document_action>[^\(]+)" | stats count by document_action

Updated to include service as extracted group.

...| rex field=_raw "rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | stats count by document_action

Both work on all samples provided and match in under 25 steps.

Re: How to edit my search to find the total count for three different actions?

splunkman341 — Tue, 07 Jul 2015 17:03:56 GMT

EmployeeDocumentServicesImp.getDocument() is one of the three actions

Re: How to edit my search to find the total count for three different actions?

woodcock — Thu, 09 Jul 2015 15:08:06 GMT

As @bmacias84 implied, you put it together like this:

index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | stats count by document_action

Re: How to edit my search to find the total count for three different actions?

splunkman341 — Thu, 09 Jul 2015 17:45:53 GMT

I tried to put it together with the document actions as mentioned, and the search did not work. I get the error mesage

Error in 'rex' command: Encountered the following error while compiling the regex '(?<service>EmployeeDocumentServicesImpl\.(?<document_action>listDocuments()|getDocumentPDF()|getDocument()[^\(]+)': Regex: missing )

The code i tried to execute is as follows:

index=doccloud_main sourcetype=doccloud_sb | rex "(?<service>EmployeeDocumentServicesImpl\.(?<document_action>listDocuments()|getDocumentPDF()|getDocument()[^\(]+)" | stats count by document_action

Re: How to edit my search to find the total count for three different actions?

bmacias84 — Thu, 09 Jul 2015 18:05:31 GMT

@splunkman341, Your regex is invalid. ( and ) are part of the regex syntax used for group you have to escape them. I recommend that you visit http://www.regular-expressions.info. If you would like service checkout my update regex statement.

Re: How to edit my search to find the total count for three different actions?

woodcock — Thu, 09 Jul 2015 18:50:38 GMT

I should have tested his RegEx. This works:

documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)

I have updated my answer.

Re: How to edit my search to find the total count for three different actions?

splunkman341 — Thu, 09 Jul 2015 19:10:33 GMT

EXCELLENT!!!

Re: How to edit my search to find the total count for three different actions?

splunkman341 — Thu, 09 Jul 2015 19:14:02 GMT

I was kind of wondering if I could tweak this further(graphically) so it displays each of the actions mentioned above on a day-to-day basis. For example, it would show a count of how many documents added, updated, downloaded, view, e.t.c daily.

Is that possible?

Re: How to edit my search to find the total count for three different actions?

woodcock — Tue, 29 Sep 2020 06:38:24 GMT

Yes, like this:

index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud.rs.services.(?[^.]+).(?[^(]+)" | timechart span=1d count by document_action

Re: How to edit my search to find the total count for three different actions?

splunkman341 — Thu, 09 Jul 2015 19:20:24 GMT

I get one giant bar of null when executing:

index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | timechart span=1d count by document_action

I think it just added everything into one bar

Re: How to edit my search to find the total count for three different actions?

woodcock — Thu, 09 Jul 2015 19:26:16 GMT

Did you run your search for more than 1 day? I told it to bucket by days. If you would like to run a shorter search and bucket by hours, switch span=1d to span=1h.

Re: How to edit my search to find the total count for three different actions?

splunkman341 — Thu, 09 Jul 2015 19:56:28 GMT

I tried for one day and for 30 days and get the same result. I want the total count of each action on a day to day basis for the past 30 days.

Re: How to edit my search to find the total count for three different actions?

woodcock — Thu, 09 Jul 2015 20:20:03 GMT

The problem is probably your scale; one of the values ( null ?) is so large that it drowns out the other bars. Change the Y-axis format from "linear" to "log" and you should see all the bars. If it is null that is killing you, you can strip it out like this:

 index=doccloud_main sourcetype=doccloud_sb | rex "documentcloud\.rs\.services\.(?<service>[^\.]+)\.(?<document_action>[^\(]+)" | where isnotnull(document_action) | timechart span=1d count by document_action

Re: How to edit my search to find the total count for three different actions?

splunkman341 — Thu, 09 Jul 2015 20:52:03 GMT

WORKS BETTER THAN A DREAM!