All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extraction

jamesmcgee
Explorer
‎11-08-2011 08:09 AM

Hi

Am trying to create a field extraction to report on at search time, based on data like the below

W3SVC1 IP.IP.IP.40 GET /service/79/ClientA/Default.aspx
W3SVC1 IP.IP.IP.17 GET /service/77/ClientB/Default.aspx
W3SVC3 IP.IP.IP.16 GET /service/77/ClientB/Default.aspx
W3SVC1 IP.IP.IP.40 GET /service/77/ClientC/Default.aspx
W3SVC7 IP.IP.IP.40 GET /service/79/ClientA/Default.aspx
W3SVC3 IP.IP.IP.16 GET /service/77/ClientB/Default.aspx

So, that I can report on "Get requests", to standard logon page, by client.

Am really struggling with either the IFX app, or the default "Field Extractor", and think there should be an easy way...

Any help appreciated.

Thanks

JM

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎11-08-2011 08:53 AM

Hi,

If you are using a standard sourcetype for your log format, the method (GET, POST, OPTIONS, TRACE etc) should probably already be extracted.

Extract the client by

\d+\/(?<client>.*)\/Default\.aspx$

hope this helps,

Kristian

View solution in original post

Reply
Solved! Jump to solution

kmattern
Builder
‎11-09-2011 08:22 AM

It sounds to me like you want to break out the path into multiple fields. The handy way to do that is to use multivalue field extraction. Assuming that this field,

"/service/12/CLIENTA/logo.gif"

is named Path, try something like this

| makemv delim="/" Path | eval cli=mvindex(Path,2) | stats count(cli) as Client_Count

Remember that the index starts with 0 and not 1. You can also say something like

| eval WebPage=mvindex(Path,3)

This will extract just the page from the longer string so you can count the web pages. You can even say something like

| stats count(cli) as ClientCount by WebPage

to get the count of each web page by client. I use this method all the time to show the top web pages hit on my portal.

Ken

0 Karma
Reply
Solved! Jump to solution

jamesmcgee
Explorer
‎11-09-2011 06:42 AM

So, with what you gave me earlier, I can report on how many times default.aspx was hit, by client, using the extraction. What I am trying to do know, is show "all" hits, by client.

So, current search is soemthing like...

Source=iis | rex "\d+\/(?.*)\/Default.aspx" | timechart count by client

What this gives me, is fine, to show me "landing page" (default.aspx) numbers, by client, but what I'd like to show now, is how many hits in total, by client, so the easiest thing for me to do (I think), would be to

run search/chart on

/service/12/CLIENTA/.

/service/12/CLIENTA/.

/service/23/CLIENTB/.

/service/12/CLIENTC/.

/service/28/CLIENTD/.

So, that no matter what page they request, it get's counted in the logs as a hit, and I can extract it by client.

But, no matter what tweaking I do, do the regex you gave me earlier, I seem to pull in too much data. I'm not interest in specific pages, gifs/logos etc, but really how many "hits" there were overall, by client.

(or, do you have a link to regex for dummies)?

Thanks

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎11-09-2011 12:33 PM

Well, yes.. hmm, just what do the numbers (12,23,28) mean?

How do you mean that the regex pulls in too much data? Do you not get a field called 'client', containing values like CLIENTA, CLIENTB etc? Or are you getting everything from CLIENTx to the end of the line?

As I understand your post above, you want a count of all log lines (i.e. all requests regardless of the resource being requested), grouped on the .. 'instance' for lack of a better word. Is this 'instance' just the CLIENTx value or the CLIENTx value in combination with the preceeding number?

/k

0 Karma
Reply
Solved! Jump to solution

jamesmcgee
Explorer
‎11-08-2011 05:43 PM

Top man, that did the job... but....How do I now count all "hits" by client... (sorry!)

So, rather than just "extracting" pages/hits with default.aspx, I can also count anything by client

i.e

/service/12/CLIENTA/logo.gif
/service/12/CLIENTA/manual.pdf
/service/12/CLIENTB/logo.gif
/service/12/CLIENTC/logo.gif
/service/12/CLIENTD/logo.gif

Now, want to count the "hits" by client, but am somehow pulling in anything beyond the CLIENTx/ mark no matter how I try to get the regex to work.

Thanks

0 Karma
Reply
Solved! Jump to solution

kristian_kolb
Ultra Champion
‎11-09-2011 06:33 AM

Do you need help with the search query, or with the field extractions or both. I don't really understand your last sentence.

/k

0 Karma
Reply
Solved! Jump to solution
Solution

kristian_kolb
Ultra Champion
‎11-08-2011 08:53 AM

Hi,

If you are using a standard sourcetype for your log format, the method (GET, POST, OPTIONS, TRACE etc) should probably already be extracted.

Extract the client by

\d+\/(?<client>.*)\/Default\.aspx$

hope this helps,

Kristian

Reply
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL

Splunk AI Assistant for SPL | Key Use Cases to Unlock the Power of SPL  The Splunk AI Assistant for SPL ...

Buttercup Games: Further Dashboarding Techniques (Part 5)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Customers Increasingly Choose Splunk for Observability

For the second year in a row, Splunk was recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for ...
Top