- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Not able to extract exact fields.
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear All,
I working on some oracle data logs. So i am able to extract some fields but i am not able to extract some of fields can anybody help on this.
here is my data
17-Jun-2014, 07:42:02 >> General Email > MR: 9 Emails Processed. 0 Success, 9 Failed.
17-Jun-2014, 07:43:01 >> General Fax > CR: 0 Faxes Processed. 0 Success, 0 Failed.
17-Jun-2014, 07:47:02 >> Bulk Report E2b > E: 23 reports processed. 0 success, 0 failed, 23 skipped.
17-Jun-2014, 07:47:02 >> Bulk Report E2b > E: 1 reports processed. 0 success, 0 failed, 1 skipped.
17-Jun-2014, 07:51:11 >> Audit Log Update > "D:\a\s\p.exe AG Audit Log Update Audit Log Update" stopped.
Here i want to extract below fields
1) No of Emails Processed.
2) No of Success
3) No of Failed
4) No of Fax processed
5) No of Reports Processed
Thanks
Gajanan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search | rex "\s(?<EmailProcessed>\d+) Emails Processed" | rex "\s(?<Success>\d+) (S|s)uccess" | rex "\s(?<Failed>\d+) (F|f)ailed"| rex "\s(?<FaxProcessed>\d+) Faxes Processed"| rex "\s(?<ReportsProcessed>\d+) reports processed"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is how I would do it.
Settings » Fields » Field extractions
Name: ORACLE_Emails-Processed
Sourcetype: Host->ServerIP
Extraction/Transform: MR: (?<ORACLE_Emails-Processed>.*) Emails Processed.
Name: ORACLE_Emails-Success
Sourcetype: Host->ServerIP
Extraction/Transform: Emails Processed. (?<ORACLE_Emails-Success>.*) Success,
Name: ORACLE_Emails-Failed
Sourcetype: Host->ServerIP
Extraction/Transform: Emails Processed. .* Success, (?<ORACLE_Emails-Failed>.*) Failed.
etc
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this
your base search | rex "\s(?<EmailProcessed>\d+) Emails Processed" | rex "\s(?<Success>\d+) (S|s)uccess" | rex "\s(?<Failed>\d+) (F|f)ailed"| rex "\s(?<FaxProcessed>\d+) Faxes Processed"| rex "\s(?<ReportsProcessed>\d+) reports processed"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi gajananh999,
you can use the below rex
:\s(?<NoProcessed>\d+)\s(?<Category>[^\.]+)\.\s(?<NoofSuccess>\d+)\sSuccess,\s(?<NoOfFailed>\d)\sFailed\.
Here Category tells Emails Processed. Reports or Faxes Processed.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have to put this into transform.conf file? and how about the 0 success, 0 failed, 1 skipped ?
let me try this in putting into transform.conf file
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
