Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to right regular expression for finding field value app=Center realm. ?

moiezuddin
Explorer
‎04-07-2015 08:23 AM

Hi when i searched with the below query

index=casm_prod sourcetype=smtrace ........REGULAR EXP.....................

Please help me to right regular expression for finding the application value app=Center realm

By default it is not showing exanmple index=casm_prod sourcetype=smtrace app=Center realm

so we need to right regular expression to show the result

kindly help on it

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎04-08-2015 10:25 AM

moiezuddin, I am not sure I'm interpreting the request, but I see two possibilities.

1) "Center realm"

  • we can see that "Center realm" is definitely in at least some search results given your posts/replies to tachifelix. If you need to filter only on those, there is no harm in avoiding the "app=" portion and just searching for "Center realm" as your search string (in other words use index=casm_prod sourcetype=smtrace "Center realm" instead of index=casm_prod sourcetype=smtrace app="Center realm")

But I don't think that's what you are after. I think instead, you want:

2) app="Center realm"

I think you are trying to "define" app to be "center realm" when it's like the second set of logs. For this, you'll want to create a field extraction. You give a line format like so: [04/08/2015][06:13:13.893][498011056][s46597300/r12][Center realm].... Now, I'm no wizard, but you could brute force something like creating a field out of the 4th set of "stuff" in square brackets (starts at index 0, not 1, hence 4th, not 5th). There are regex ways to do it, too.

index=casm_prod sourcetype=smtrace  
| makemv tokenizer="\[(.*?)\]" _raw
| eval app=mvindex(mystring,4)

Now, I'm not sure how that work given your other search results, but if it's like most things in Splunk the above commands will ignore lines that don't fit the [stuff1][stuff2],... format of these lines. I'm also not positive I have it all right, you may need the 3rd, 5th, or some other field out of that.

That should let "app=blah" work fine when it's in the url string (where splunk already knows this field) and when the line matches the format of the set you gave above, then it should add app="Center realm" as a field.

Give that a try and see how it goes.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

Richfez
SplunkTrust
SplunkTrust
‎04-08-2015 10:25 AM

moiezuddin, I am not sure I'm interpreting the request, but I see two possibilities.

1) "Center realm"

  • we can see that "Center realm" is definitely in at least some search results given your posts/replies to tachifelix. If you need to filter only on those, there is no harm in avoiding the "app=" portion and just searching for "Center realm" as your search string (in other words use index=casm_prod sourcetype=smtrace "Center realm" instead of index=casm_prod sourcetype=smtrace app="Center realm")

But I don't think that's what you are after. I think instead, you want:

2) app="Center realm"

I think you are trying to "define" app to be "center realm" when it's like the second set of logs. For this, you'll want to create a field extraction. You give a line format like so: [04/08/2015][06:13:13.893][498011056][s46597300/r12][Center realm].... Now, I'm no wizard, but you could brute force something like creating a field out of the 4th set of "stuff" in square brackets (starts at index 0, not 1, hence 4th, not 5th). There are regex ways to do it, too.

index=casm_prod sourcetype=smtrace  
| makemv tokenizer="\[(.*?)\]" _raw
| eval app=mvindex(mystring,4)

Now, I'm not sure how that work given your other search results, but if it's like most things in Splunk the above commands will ignore lines that don't fit the [stuff1][stuff2],... format of these lines. I'm also not positive I have it all right, you may need the 3rd, 5th, or some other field out of that.

That should let "app=blah" work fine when it's in the url string (where splunk already knows this field) and when the line matches the format of the set you gave above, then it should add app="Center realm" as a field.

Give that a try and see how it goes.

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎04-08-2015 10:36 AM

By the way, if you want to use the other values, I'd use a rex probably. I'm making it up, but if you wanted to break on square brackets, something like...

index=casm_prod sourcetype=smtrace | rex "\[(?<mydate>[^]]+)\]\[(?<mytime>[^]]+)\]\[(?<somefield1>[^]]+)\]\[(?<somefield2>[^]]+)\]\[(?<app>[^]]+)\]"

That you can extend it by copying/pasting each part and renaming the field. \[(?[^]]+)\] is one piece. 🙂

0 Karma
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎04-08-2015 10:38 AM

I think the inline version of the code (the little piece) ate my angled brackets and what was inside it (right after the question mark). You can probably figure it out. If you have specific problems, ask again with a few sample lines and what does/is and does not/is not working.

0 Karma
Reply
Solved! Jump to solution

moiezuddin
Explorer
‎04-09-2015 02:22 AM

thanks rich, for your brief explanation.

i got the result with the below search query

index=casm_prod sourcetype=smtrace "Center realm" | bucket _time span=1m |stats count(sso_id) as eventcount by _time, sso_id

thanks alot

0 Karma
Reply
Solved! Jump to solution

tachifelix
Path Finder
‎04-08-2015 01:30 AM

to make sure that app=center realm in your data run this search : index=casm_prod sourcetype=smtrace |search "Center realm"

0 Karma
Reply
Solved! Jump to solution

tachifelix
Path Finder
‎04-08-2015 01:36 AM

then post a sample event of the result

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎04-07-2015 08:59 AM

Please post some sample data.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...

Updated Team Landing Page in Splunk Observability

We’re making some changes to the team landing page in Splunk Observability, based on your feedback. The ...

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Regardless of where you are in Splunk Observability, you can search for relevant APM targets including service ...