https://community.splunk.com/t5/Splunk-Search/Help-on-Data-Aggregation-from-Logs/m-p/278023#M83904 <P>The first thing you are going to need to do is to extract the fields. If this is in XML/JSON format, you might be able to simply use |spath </P> <PRE><CODE>base search |spath </CODE></PRE> <P>Otherwise you will have to use the field extractor, and try to tease out the data you need. <BR /> <A href="http://docs.splunk.com/images/9/9d/CIM-extract_fields_UI.png">http://docs.splunk.com/images/9/9d/CIM-extract_fields_UI.png</A></P> <P>Or you can play around with inline extractions using |rex</P> <PRE><CODE>| rex field=_raw "apiName":"(?&lt;API_Name&gt;./w+^") </CODE></PRE> <P>Then once you get it extracted you can do something like this. </P> <PRE><CODE> base search | rex field=_raw "apiName":"(?&lt;API_Name&gt;.\w+) " | rex field=_raw "Start=(?&lt;Start&gt;\d+)" | stats list(API_Name) by Start </CODE></PRE> <P>I've not tested any of these regex's. It takes a bit of practice to get them right, but once you have the fields extracted, then you can do more with the data. </P> <P>Check out the documentation on extracting fields. </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Extractfieldswithsearchcommands">https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Extractfieldswithsearchcommands</A></P> Mon, 25 Jul 2016 17:04:34 GMT JDukeSplunk 2016-07-25T17:04:34Z https://community.splunk.com/t5/Splunk-Search/Help-on-Data-Aggregation-from-Logs/m-p/278022#M83903 <P>Hi Team,</P> <P>I am new to Splunk tool. But going through vast documentation also din't help me much.<BR /> If someone can help me to know that how to achieve below out put from logs, would really be helpful.</P> <P>Below raw is just one sample from logs. So i need to have as many rows as we have objectCount.</P> <P><STRONG>Raw Output Logs</STRONG>:<BR /> &lt;135&gt;Jul 22 01:15:42 ******.nsroot.net {"datetime":"2016-07-22T05:14:40.292Z","apiName":"XYZ","apiVersion":1,"appName":"ABC","envName":"External-ADP","planName":"LMN","planVersion":1,"timeToServeRequest":922,"bytesSent":209,"requestProtocol":"https","requestMethod":"GET",requestTimestamp : 2016-07-22T01:14:39-04:00,responseTimestamp : 2016-07-22T01:14:40-04:00,X-Content-Type-Options : nosniff","responseBody":"","latency":"Initialization=0ms : Start=6ms : 576197e8e4b0d8a5ff967ffc=1ms : 576197e8e4b0d8a5ff967fff=3ms : 56f18e6ee4b06bb8f1889f36=0ms : 1326652068303=2ms : Activity Log 5=0ms : Request=1ms : HTTP GET Operation 5=38ms : HTTP POST Operation 8=519ms : HTTP PUT Operation 2=138ms : HTTP POST Operation 5=139ms : Response=75ms"}</P> <P><STRONG>REQUIRED OUTPUT</STRONG> <BR /> <EM>APIName</EM> = XYZ<BR /> <EM>timeToServeRequest</EM> = 922<BR /> <EM>Start</EM> = 6ms</P> <P>Appreciate your help and response.</P> Fri, 22 Jul 2016 07:59:52 GMT https://community.splunk.com/t5/Splunk-Search/Help-on-Data-Aggregation-from-Logs/m-p/278022#M83903 viruvaibhav21 2016-07-22T07:59:52Z https://community.splunk.com/t5/Splunk-Search/Help-on-Data-Aggregation-from-Logs/m-p/278023#M83904 <P>The first thing you are going to need to do is to extract the fields. If this is in XML/JSON format, you might be able to simply use |spath </P> <PRE><CODE>base search |spath </CODE></PRE> <P>Otherwise you will have to use the field extractor, and try to tease out the data you need. <BR /> <A href="http://docs.splunk.com/images/9/9d/CIM-extract_fields_UI.png">http://docs.splunk.com/images/9/9d/CIM-extract_fields_UI.png</A></P> <P>Or you can play around with inline extractions using |rex</P> <PRE><CODE>| rex field=_raw "apiName":"(?&lt;API_Name&gt;./w+^") </CODE></PRE> <P>Then once you get it extracted you can do something like this. </P> <PRE><CODE> base search | rex field=_raw "apiName":"(?&lt;API_Name&gt;.\w+) " | rex field=_raw "Start=(?&lt;Start&gt;\d+)" | stats list(API_Name) by Start </CODE></PRE> <P>I've not tested any of these regex's. It takes a bit of practice to get them right, but once you have the fields extracted, then you can do more with the data. </P> <P>Check out the documentation on extracting fields. </P> <P><A href="https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Extractfieldswithsearchcommands">https://docs.splunk.com/Documentation/Splunk/6.4.2/Search/Extractfieldswithsearchcommands</A></P> Mon, 25 Jul 2016 17:04:34 GMT https://community.splunk.com/t5/Splunk-Search/Help-on-Data-Aggregation-from-Logs/m-p/278023#M83904 JDukeSplunk 2016-07-25T17:04:34Z