topic Re: How to get a log pattern count? in Splunk Search

How to get a log pattern count?

srinij — Wed, 19 Oct 2016 16:27:43 GMT

Hi,

I have a log pattern like this

requrl : serviceName: abcd key: xyz-abc-def header: http
requrl : serviceName: efgh key: abc-asd-sssd header: http
requrl : serviceName: 1234 key: abc-1234-sssd header: http

I would like to find the unique pattern on the above. The above pattern can be duplicated - like the first line can be multiple times.

For example, I would need a table which says

serviceName key

abcd xyz-abc-def
efgh abc-asd-sssd
1234 abc-1234-sssd

How would i do that? Can anyone help me here?

Re: How to get a log pattern count?

aaraneta_splunk — Wed, 19 Oct 2016 17:01:49 GMT

Hi @srinij - It looks like your post is missing information. You mention, "I would like to find the unique pattern like this" and nothing else is written. You will likely need to provide more information to the Answers community about what you would want your expected result to look like so that users can better help you. Thanks.

Re: How to get a log pattern count?

inventsekar — Wed, 19 Oct 2016 17:03:16 GMT

Hi Srini.. please update us some more info..what is the unique pattern on this above log pattern..

Re: How to get a log pattern count?

srinij — Wed, 19 Oct 2016 17:10:31 GMT

@aaraneta - I just added more information. sorry about that!

Re: How to get a log pattern count?

srinij — Wed, 19 Oct 2016 17:11:05 GMT

Hi Sekar, I just updated the info!

Re: How to get a log pattern count?

srinij — Wed, 19 Oct 2016 17:16:27 GMT

Hi,

I have a log pattern like this

requrl : serviceName: **abcd** key: **xyz-abc-def** header: http
requrl : serviceName: **efgh** key: **abc-asd-sssd** header: http
requrl : serviceName: **1234** key: **abc-1234-sssd** header: http

The above log lines follow the pattern - requrl : serviceName: **** key: **** header: http
The bold items are values that changes.

I would like to find the unique pattern on the above. The above pattern can be duplicated - like the first line can be multiple times.

I would need a table which prints that serviceName and key. Also would like to ignore the duplicate entries.So, if the same line prints in the log multiple time, i would like to have only one entry in the table.

serviceName key

abcd xyz-abc-def
efgh abc-asd-sssd
1234 abc-1234-sssd

How would i do that? Can anyone help me here?

Re: How to get a log pattern count?

sundareshr — Wed, 19 Oct 2016 17:16:57 GMT

Assuming your data is indexed in splunk, you can use extract and dedup to get your desired results. Try this

base search | extract pairdelim=" " kvdelim=":" | table serviceName key | dedup serviceName key

Re: How to get a log pattern count?

srinij — Wed, 19 Oct 2016 18:08:45 GMT

That didn't work for me for some reason but it was a good one that helped learn about it.

Re: How to get a log pattern count?

srinij — Wed, 19 Oct 2016 18:09:15 GMT

I figured out what I looking for in a different way. Here is my solution. I got the serviceName and the count by below search query

base search | rex "requrl : serviceName: (?<ServiceName>[^\s]+)" | stats count by ServiceName

Re: How to get a log pattern count?

gokadroid — Thu, 20 Oct 2016 01:20:03 GMT

Try this if you want both the serviceName and the key:

base search | rex "requrl : serviceName:\s(?<serviceName>[^\s]+)\skey:\s(?<key>[^\s]+)" | stats count by serviceName, key | fields serviceName, key