Solved: How to break events in this scenario

sarvan7777 · ‎05-02-2018

Here is a subset of my log file. This content appears for an App named App-1, but it just repeats in my log for around 12 Apps.

Scan **App-1** 
<blah blah>
<blah blah>
Start of Test
Table row count : 100
Messages in queue: 100
JMS Topics and row count in queue:
10   Topic1
17   Topic2
13   Topic3
20   Topic5
40   Topic5 
End of Test... 

Scan for Threshold...

WARNING -- Threshold Exceeded!

All I need is the table that has count and Topic1, Topic2 etc values as fields in Splunk

Count & Topic needs to be available as extracted fields in Splunk for the App-1 (App-1 is again an extracted field from this data set)

Any input is appreciated

woodcock · ‎05-02-2018

Like this:

... | rex "Scan \*\*(?<App>\S+)\*\*"
| rex max_match=0 "(?<Count>\d+)\s+(?<Topic>Topic\d+)"
| eval _raw=mvzip(Topic, Count, "=")
| kv

View solution in original post

FrankVl · ‎05-03-2018

I would be enclined to say: create a scripted input for this, that translates these files to a csv containing the desired data and then ingest that into splunk.

woodcock · ‎05-02-2018

Like this:

... | rex "Scan \*\*(?<App>\S+)\*\*"
| rex max_match=0 "(?<Count>\d+)\s+(?<Topic>Topic\d+)"
| eval _raw=mvzip(Topic, Count, "=")
| kv

How to break events in this scenario

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!