Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to fetch a word from logs

aditsss
Motivator
‎11-12-2024 07:08 AM

Hi Team,

Below is my raw log

I want to fetch 38040 from log please guide

ArchivalProcessor - Total records processed - 38040

Labels (2)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-12-2024 07:58 AM 
| rex "Total records processed - (?<processed>\d+)"
0 Karma
Reply

aditsss
Motivator
‎11-12-2024 10:25 PM

@ITWhisperer 

I make the below query but my processed count is coming as blank

index="abc" sourcetype=600000304_gg_abs_ipc2 "Total records processed -"
| rex "Total records processed -(?<processed>\d+)"
| timechart span=1d values(processed) AS ProcessedCount

 

Raw logs

2024-10-23 20:40:23.658 [INFO ] [pool-2-thread-1] ArchivalProcessor - Total records processed - 15618

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-13-2024 12:34 AM

Please show your raw event in a codeblock (using the </> button)

0 Karma
Reply

aditsss
Motivator
‎11-13-2024 06:57 AM

 

Hi @ITWhisperer 

Raw code

2024-10-29 20:42:43.702 [INFO ] [pool-2-thread-1] ArchivalProcessor - Total records processed - 38040

my query:

index="600000304_d_gridgain_idx*" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)"
| timechart span=1d values(processed) AS ProcessedCount

 

index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)"
| timechart span=1d values(processed) AS ProcessedCount

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-13-2024 09:07 AM

What is it that you are trying to chart? The values() aggregate function with give you a multivalue field of strings with unique values from your events for each time bucket. You cannot chart strings on the y-axis, they need to be numbers.

0 Karma
Reply

aditsss
Motivator
‎11-13-2024 08:55 PM

@ITWhisperer ,

I want to make one table where we have date on one column and counts on other column

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-14-2024 02:08 AM

From looking at what you have posted, it appears that there may be a space between the "-" and the start of the number which is not present in the regex. This is why we ask for event data and SPL code to be shared in code blocks, so these things can be more easily spotted. Assuming this is the case, then use the regex as I showed (not as you have apparently used).

0 Karma
Reply

aditsss
Motivator
‎11-18-2024 03:11 AM

@ITWhisperer 

I tried below query but still not able to fetch record

 

index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)"
| timechart span=1d values(processed) AS ProcessedCount

 

Please find below raw logs 

2024-10-29 20:39:55.900 [INFO ] [pool-2-thread-1] ArchivalProcessor - Total records processed - 27846
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-18-2024 03:17 AM

As I said before, there appears to be a space between "Total records processed -" and 27846 which doesn't appear to have been catered for in your regex

Total records processed - 27846

 Please share the search also in a code block (as above) so we can check.

0 Karma
Reply

aditsss
Motivator
‎11-18-2024 03:24 AM

Hi @ITWhisperer .

PFB search string in code block

index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed -(?<processed>\d+)"
| timechart span=1d values(processed) AS ProcessedCount
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎11-18-2024 03:34 AM

Exactly what I was saying, you have missed a space between the "-" and the number. Try this:

index="abc" sourcetype=600000304_gg_abs_ipc2 source!="/var/log/messages" "ArchivalProcessor - Total records processed"| rex "Total records processed - (?<processed>\d+)"
| timechart span=1d values(processed) AS ProcessedCount
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain

Boston may be buzzing this September with Splunk University and .conf25, but you don’t have to pack a bag to ...

Splunk Lantern’s Guide to The Most Popular .conf25 Sessions

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Unlock What’s Next: The Splunk Cloud Platform at .conf25

In just a few days, Boston will be buzzing as the Splunk team and thousands of community members come together ...