Hello all!
I'm trying to build dropdowns in a dashboard for fields I've built via 'rex field' and eval statements seen in the search below.
I am having trouble tying these fields into $token$ values.
I've tried placing them into the search in a couple of different places, but the search just fails:
Here is the search as it is built currently. Thanks for any direction you can provide.
index=pcf_* cf_org_name="Network Software Development and Automation" cf_space_name="Development" cf_app_name=*privatecloud-dev* msg=*VALUES* *user_logs* user="$fields,0$"
| rex field=msg "VALUES (?<valuees>.*)"
| eval fields=split(valuees,"'") | eval user=mvindex(fields,0)
| eval user=mvindex(fields,1)
| eval method=mvindex(fields,3)
| eval page=mvindex(fields,5)
| eval params=mvindex(fields,7)
| eval datetime =mvindex(fields,9)
| search user=$"fields,0"$
| stats count by datetime user method page params
@gcusello , thank you!
Here is the search code:
index=pcf_* cf_org_name="Network Software Development and Automation" cf_space_name="Development" cf_app_name=*privatecloud-dev* msg=*VALUES* *user_logs*
| rex field=msg "VALUES (?<valuees>.*)"
| eval fields=split(valuees,"'") | eval user=mvindex(fields,0)
| eval user=mvindex(fields,1)
| eval method=mvindex(fields,3)
| eval page=mvindex(fields,5)
| eval params=mvindex(fields,7)
| eval datetime =mvindex(fields,9)
| eval created_at=mvindex(fields,11)
| eval updated_at=mvindex(fields,13)
| stats count by datetime user method page params
I'm pulling the data from within the field called 'msg' (example below). I extract it to new fields so we can search and sort by that data.
Particulary this data:
user_logs
(user
, method
, page
, params
, datetime
, created_at
, updated_at
)
Here is an example of 'msg':
[1m[36mUserLog Create (27.8ms)[0m [1m[32mINSERT INTO `user_logs` (`user`, `method`, `page`, `params`, `datetime`, `created_at`, `updated_at`) VALUES ('Opredelennov, Eugene', 'destroy', 'deployments', '{\"id\"=>132, \"apic_id\"=>1, \"decommission_standard_change_id\"=>\"CRQ000001518730\", \"decommission_standard_change_url\"=>\"https://remedy-test.lmig.com/arsys/shared/Ticket.jsp?ID=CRQ000001518730\", \"decommissioner_id\"=>2, \"name\"=>\"10G-VPC-test-vlan2508\", \"description\"=>\"10G-VPC-test-vlan2508\", \"provision_standard_change_id\"=>\"CRQ000001517986\", \"provision_standard_change_url\"=>\"https://remedy-test.lmig.com/arsys/shared/Ticket.jsp?ID=CRQ000001517986\", \"status\"=>\"Decommissioned\", \"user_id\"=>4, \"user_group_id\"=>nil}', '2020-03-16 14:50:42', '2020-03-16 14:50:42', '2020-03-16 14:50:42')
Thanks again.
Hi, @petersmiddy,
If you could put your code in the Code Sample (the button with 101010) I could help you to analyze the regexes, that I cannot correctly read now.
Then I see the comma in the token, what it means?
If you could share a sample of your data and of the search of the dropdown, I could help you with them.
Then, to use quotes with a token you have to put the full token (with $) inside quotes user="$fields,0$"
, as you did in the first bolded case but not in the second: Splunk recognize the token by the "$" chars.
Ciao.
Giuseppe