Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to fetch string in splunk

aditsss
Motivator
‎06-18-2022 11:47 PM

Hi Everyone,

I have below sets of raw logs:

source-timestamp=1655611288414,event-type:Lead_Staging__c

source-timestamp=1655611288414,event-type:Account_Snapshot__c

source-timestamp=1655611288414,event-type:Opp

I want to fetch all the event -type.

Can someone guide me.

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-19-2022 01:12 AM

The previous rex worked with the examples you gave - because these examples were incomplete w.r.t. your actual events, it didn't work for your real event.

Assuming that the new examples are an accurate representation of your real events, try this

| rex "event-type:(?<eventType>[^,]+)"

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-19-2022 12:00 AM 
| rex "event-type:(?<eventType>.+)"
0 Karma
Reply
Solved! Jump to solution

aditsss
Motivator
‎06-19-2022 01:01 AM

Hi @ITWhisperer 

 

Its not showing the correct way.

My entire query is this

index=abc ns=blazepsfpublish app_name=pulldataoneforce* "The Total Process Time to publish in Kafka topic is" | rex "event-type:(?<eventType>.+)"| rename eventType as event-type|eval Date=strftime(_time, "%Y-%m-%d") | timechart span=1d count(source_uniqueid) as "The Total Process Time to publish in Kafka topic is" by event-type

I have attached the screenshot to show how it is coming

These are my raw logs

source-uniqueid=cdc3bcb5-9ad4-46a9-92dc-4c84b081ab3b, source-timestamp=1655646610318,event-type:Lead_Staging__c, source-type:OneForce, memsql-persist:true, channel:/event/tel_External_Change_Event__e, replayId:14522702, The Total Process Time to publish in Kafka topic is (milli-sec)=7

Can you please guide

 

Tags (1)
Preview file
49 KB
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-19-2022 01:12 AM

The previous rex worked with the examples you gave - because these examples were incomplete w.r.t. your actual events, it didn't work for your real event.

Assuming that the new examples are an accurate representation of your real events, try this

| rex "event-type:(?<eventType>[^,]+)"
0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...