- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Fetching the keywords and creating queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Team,
Could you please guide how I can fetch the below keywords from raw logs:
2023-06-29 09:41:53.884 [INFO ] [pool-2-thread-1] ArchivalProcessor - finished reading file /absin/TRIM.ARCH.D062923.T052525
2023-06-28 10:36:24.064 [INFO ] [pool-2-thread-1] ArchivalProcessor - finished reading file / absin/TRIM.ARCH.D062823.T063718
2023-06-29 09:38:03.308 [INFO ] [pool-2-thread-1] ArchivalProcessor - Processing archival records for file TRIM.ARCH.D062923.T052525
Can someone guide me how can I fetch from raw logs.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aditsss,
you have to use a regex like the following:
| rex "file\s+(?<filename>.*)"that you can test at https://regex101.com/r/Uc21zy/1
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aditsss,
you have to use a regex like the following:
| rex "file\s+(?<filename>.*)"that you can test at https://regex101.com/r/Uc21zy/1
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aditsss,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@gcusello could you please provide me the complete query:
My current query is this:
index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aditsss,
please try this
index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| table filenameCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello
I want something like this
finished reading file /absin/TRIM.ARCH.D062923.T052525 2023-06-29 09:41:53.884
One side it should be this and other side it should be date.
@gcusello how can we create query for this. Please guide
2023-06-29 09:41:53.884 [INFO ] [pool-2-thread-1] ArchivalProcessor - finished reading file /absin/TRIM.ARCH.D062923.T052525
Also I don't want tabular format is that possible I can create bar chart.
Current query:
index="abx*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"| rex "file\s+(?<filename>.*)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aditsss,
please try this:
index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
| table filename _timeCiao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks @gcusello
But I want to create in bar chart format please guide.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aditsss,
let me understand: you have a string in a column and a date in another, how do you want to put them in a chart?
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I want string on bar and date down
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aditsss,
if you want a timeline, you have to use the timeline Add-On at https://splunkbase.splunk.com/app/3120
There isn't any other solution.
Ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried like this but not getting any result:
index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
| timechart span=1d values(filename) AS filename- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @gcusello
I had tried like this:
index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/amex/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
| stats count by filename
I am getting result like this:
filename count
finished reading file TRIM.ARCH.D062623.T053124 1
I want something like this
filename Date
finished reading fileTRIM.ARCH.D062623.T053124 2023-06-29 09:41:53.884
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @aditsss,
as I said, in a chart you can insert a count or a value but never a string.
You can eventually have a timechart, but always with a value (a count or a sum) never with a string.
The only way to have a chart is the Timeline add-on.
Otherwise, you can have a table like the one you shared.
ciao.
Giuseppe
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am trying this query:
index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/amex/app/abs-upstreamer/logs/abs-upstreamer.log" "Processing archival records for file "
| rex "file\s+(?<filename>.*)"
| eval filename="Processing archival records for file ".filename
| stats count by filename
I am able to see result like this:
filename count
Processing archival records for file TRIM.ARCH.D062723.T061108 1
I want to see result like this
filename Date
Processing archival records for file TRIM.ARCH.D062723.T061108 2023-06-27 09:29:11.022
@gcusello please guide
Detecting Remote Code Executions With the Splunk Threat Research Team
Enter the Splunk Community Dashboard Challenge for Your Chance to Win!
.conf24 | Session Scheduler is Live!!
