Dashboards & Visualizations

How to fetch string in splunk

aditsss
Motivator

Hi Everyone,

I have below sets of raw logs:

source-timestamp=1655611288414,event-type:Lead_Staging__c

source-timestamp=1655611288414,event-type:Account_Snapshot__c

source-timestamp=1655611288414,event-type:Opp

I want to fetch all the event -type.

Can someone guide me.

 

Labels (3)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The previous rex worked with the examples you gave - because these examples were incomplete w.r.t. your actual events, it didn't work for your real event.

Assuming that the new examples are an accurate representation of your real events, try this

| rex "event-type:(?<eventType>[^,]+)"

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| rex "event-type:(?<eventType>.+)"
0 Karma

aditsss
Motivator

Hi @ITWhisperer 

 

Its not showing the correct way.

My entire query is this

index=abc ns=blazepsfpublish app_name=pulldataoneforce* "The Total Process Time to publish in Kafka topic is" | rex "event-type:(?<eventType>.+)"| rename eventType as event-type|eval Date=strftime(_time, "%Y-%m-%d") | timechart span=1d count(source_uniqueid) as "The Total Process Time to publish in Kafka topic is" by event-type

I have attached the screenshot to show how it is coming

These are my raw logs

source-uniqueid=cdc3bcb5-9ad4-46a9-92dc-4c84b081ab3b, source-timestamp=1655646610318,event-type:Lead_Staging__c, source-type:OneForce, memsql-persist:true, channel:/event/tel_External_Change_Event__e, replayId:14522702, The Total Process Time to publish in Kafka topic is (milli-sec)=7

Can you please guide

 

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The previous rex worked with the examples you gave - because these examples were incomplete w.r.t. your actual events, it didn't work for your real event.

Assuming that the new examples are an accurate representation of your real events, try this

| rex "event-type:(?<eventType>[^,]+)"
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...