Solved: Fetching the keywords and creating queries

aditsss · ‎07-12-2023

Hi Team,

Could you please guide how I can fetch the below keywords from raw logs:

2023-06-29 09:41:53.884 [INFO ] [pool-2-thread-1] ArchivalProcessor - finished reading file /absin/TRIM.ARCH.D062923.T052525

2023-06-28 10:36:24.064 [INFO ] [pool-2-thread-1] ArchivalProcessor - finished reading file / absin/TRIM.ARCH.D062823.T063718

2023-06-29 09:38:03.308 [INFO ] [pool-2-thread-1] ArchivalProcessor - Processing archival records for file TRIM.ARCH.D062923.T052525

Can someone guide me how can I fetch from raw logs.

gcusello · ‎07-12-2023

Hi @aditsss,

you have to use a regex like the following:

| rex "file\s+(?<filename>.*)"

that you can test at https://regex101.com/r/Uc21zy/1

Ciao.

Giuseppe

View solution in original post

gcusello · ‎07-12-2023

Hi @aditsss,

you have to use a regex like the following:

| rex "file\s+(?<filename>.*)"

that you can test at https://regex101.com/r/Uc21zy/1

Ciao.

Giuseppe

gcusello · ‎07-13-2023

Hi @aditsss,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

aditsss · ‎07-12-2023

@gcusello could you please provide me the complete query:

My current query is this:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"

gcusello · ‎07-12-2023

Hi @aditsss,

please try this

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| table filename

Ciao.

Giuseppe

aditsss · ‎07-12-2023

Hi @gcusello

I want something like this

finished reading file /absin/TRIM.ARCH.D062923.T052525 2023-06-29 09:41:53.884

One side it should be this and other side it should be date.

@gcusello how can we create query for this. Please guide

2023-06-29 09:41:53.884 [INFO ] [pool-2-thread-1] ArchivalProcessor - finished reading file /absin/TRIM.ARCH.D062923.T052525

Also I don't want tabular format is that possible I can create bar chart.

Current query:

index="abx*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"| rex "file\s+(?<filename>.*)"

gcusello · ‎07-12-2023

Hi @aditsss,

please try this:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
| table filename _time

Ciao.

Giuseppe

aditsss · ‎07-12-2023

Thanks @gcusello

But I want to create in bar chart format please guide.

gcusello · ‎07-12-2023

Hi @aditsss,

let me understand: you have a string in a column and a date in another, how do you want to put them in a chart?

Ciao.

Giuseppe

aditsss · ‎07-12-2023

@gcusello

I want string on bar and date down

gcusello · ‎07-12-2023

Hi @aditsss,

if you want a timeline, you have to use the timeline Add-On at https://splunkbase.splunk.com/app/3120

There isn't any other solution.

Ciao.

Giuseppe

aditsss · ‎07-12-2023

@gcusello

I just want date down and string in column or bar format.

Can you guide me with timechart

aditsss · ‎07-12-2023

@gcusello

I tried like this but not getting any result:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
|  timechart span=1d values(filename) AS filename

aditsss · ‎07-12-2023

Hi @gcusello

I had tried like this:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/amex/app/abs-upstreamer/logs/abs-upstreamer.log" "finished reading file"
| rex "file\s+(?<filename>.*)"
| eval filename="finished reading file ".filename
| stats count by filename

I am getting result like this:

filename count

finished reading file TRIM.ARCH.D062623.T053124 1

I want something like this

filename Date

finished reading fileTRIM.ARCH.D062623.T053124 2023-06-29 09:41:53.884

gcusello · ‎07-12-2023

Hi @aditsss,

as I said, in a chart you can insert a count or a value but never a string.

You can eventually have a timechart, but always with a value (a count or a sum) never with a string.

The only way to have a chart is the Timeline add-on.

Otherwise, you can have a table like the one you shared.

ciao.

Giuseppe

aditsss · ‎07-12-2023

@gcusello

I am trying this query:

index="abc*" sourcetype=600000304_gg_abs_ipc2 source="/amex/app/abs-upstreamer/logs/abs-upstreamer.log" "Processing archival records for file "
| rex "file\s+(?<filename>.*)"
| eval filename="Processing archival records for file ".filename
| stats count by filename

I am able to see result like this:

filename count

Processing archival records for file TRIM.ARCH.D062723.T061108 1

I want to see result like this

filename Date

Processing archival records for file TRIM.ARCH.D062723.T061108 2023-06-27 09:29:11.022

@gcusello please guide

Fetching the keywords and creating queries

chart

panel

timechart

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...

New This Month in Splunk Observability Cloud - Synthetic Monitoring updates, UI ...