topic Re: How to generate a search for specific words in row data? in Splunk Search

How to generate a search for specific words in row data?

jw44250 — Tue, 17 Jan 2017 20:39:22 GMT

My search result is like this :

result 1
. message hello test helo test

result 2
. message hello test helo test

result3
. message hello test helo test

count or group by message1, message 2

Re: How to generate a search for specific words in row data?

jw44250 — Tue, 17 Jan 2017 20:40:16 GMT

there is no unique field ,

Re: How to generate a search for specific words in row data?

aaraneta_splunk — Tue, 17 Jan 2017 21:03:00 GMT

@jw44250 - It would be helpful if you were to provide the search you're already using. Also, the more information you provide in your post, the greater chance of it being answered with a working solution.

Re: How to generate a search for specific words in row data?

somesoni2 — Tue, 17 Jan 2017 21:42:59 GMT

Is the message field already extracted? If not, share some sample result so that we can suggest a regex for it to extract. After the fields extraction, you could simply use ...| stats count by messagetype of commands.

Re: How to generate a search for specific words in row data?

jw44250 — Tue, 17 Jan 2017 23:25:16 GMT

index= index1 "message"

message can appear anywhere, start of paraph, midd, end,etc

Query Result

"message hello1"

message=" message hello2";

message="message hello1"

message="hello message test"

message="mikale"

Re: How to generate a search for specific words in row data?

jw44250 — Tue, 17 Jan 2017 23:26:50 GMT

actually needed to group them

"message hello1"
message=" message hello2";
message="hello message test"
message="mikale"
there is not unique field.. i want make new field and
do something like

_row="subtring(message) 0-20 characters as meesage

Re: How to generate a search for specific words in row data?

lguinn2 — Wed, 18 Jan 2017 00:21:58 GMT

First, you can't create a variable with a name that starts with underscore (_).
Here is a way to group them and report; this answer includes some of the ideas in the comments as well.

index=index1 "message hello1" OR "message hello2" plus whatever else belongs in your search
| rex "message\s(?<message>.{1,20})"
| eval message=case (isnull(message),"No message",
            match(_raw,"hello1") OR user="admin","Msg 3",
            match(_raw,"hello2"),"Msg 2",
            match(_raw,"hello1"),"Msg 1" )
| stats count by message

First, the rex command looks at the raw text for the word "message" followed by a space, and then collects the following 20 characters (or less if there aren't 20 characters remaining on the line).
Next, the eval command checks for a number of conditions: is the message field null (meaning that there was no match in the rex command), does it match one of several patterns? Notice that the tests are executed in order, and the first true condition determines the new value of message. If none of the conditions are true, the value of message is unchanged. This gives you the ability to further categorize the data if you wish. If not, you can leave out the entire eval command.
Finally, the stats command counts the number of occurrences of each message.

Re: How to generate a search for specific words in row data?

nabeel652 — Wed, 18 Jan 2017 01:10:14 GMT

assuming in your results "result_field" starts with word message and ends with last word of the message. I have assumed that your result field can start with
message ...
message= ...
message = ... etc

Blockquote

 your search ...   | rex field=result_field "message\s*\=*\s*(?<Msg>.*)$" | stats count by Msg

Blockquote

Re: How to generate a search for specific words in row data?

jw44250 — Wed, 18 Jan 2017 02:26:28 GMT

The message can appear any place ...these statements comes from logs files
Suppose you have statements like:

Result 1
"This message from john."

Result 2
"Message sorry boss not wrong data"

Result
"Pls correct your message before going forward"

Re: How to generate a search for specific words in row data?

jw44250 — Wed, 18 Jan 2017 02:29:31 GMT

Result 4
"This message from john."

Result 5
"Message sorry boss not wrong data"

Result 5
"Pls correct your message before going forward"

Group Message A => 1 and 4 = "This message from john"
Group Message B => 2 & 5 " = "Message sorry boss not data"
Group Message C = 3 & 6 result "pls correct your message before going forward"

Re: How to generate a search for specific words in row data?

jw44250 — Wed, 18 Jan 2017 03:07:22 GMT

where you are getting this data "field=result_field" ... it will not work since i dont have any field or unique anything...its just a stamement like "This message from john"

Re: How to generate a search for specific words in row data?

DalJeanis — Wed, 18 Jan 2017 15:45:02 GMT

This question is extremely vague and not well-formed. It's not possible to give you code to solve your issue if the structure of the data isn't understood accurately.

1) Is there a field that is the one that contains the word message, or are we checking the _raw event data?

2) If the details of the message location can vary widely, please explain in English how exactly YOU (as a human) would determine that two messages inside the _raw data were exactly the same? What would you use as the boundaries of the "message" part of the _raw data?

3) If the value of the whole message is to be extracted from _raw data, then please show us two entire messages -- different but similar -- with all the timestamps and other field markers present. You can obfuscate the data as needed -- replace the hostnames with "myhost", usernames with "myusername" etc. Once we see this, we can code you a regular expression to pull out the message data.

As a general case, I'm assuming that we are aiming for something like this -

index=myindex [your original search] | search "message" 
| rex field=_raw "some regular expression that pulls out (?<TheMessage>.*) and leaves out stuff that isn't the message..."
| stats count by TheMessage

Re: How to generate a search for specific words in row data?

DalJeanis — Wed, 14 Jun 2017 18:33:37 GMT

@jw44250 - did you ever get a solution to this one?

Re: How to generate a search for specific words in row data?

jw44250 — Fri, 16 Jun 2017 00:53:04 GMT

Yes..thanks from everyone...sorry been busy with work..