Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help with query

Mrig342
Contributor
‎04-30-2021 04:57 AM

Hi All,

I am trying to extract a field from the below log.

log1:

esbgc_as_uat2_dom|ESB/Monitoring/ESB_HealthCheck|esbgc_as_uat2_dom|Synchronized|Thu 29-Apr-2021 07:18:55 EST|1
esbgc_as_uat2_dom|ESB/Framework/Dispatcher/InterfaceDispatcher_SG_IDT2_CPG_A|esbgc_as_uat2_dom|Synchronized|Thu 29-Apr-2021 04:59:40 EST|2
esbgc_as_uat2_dom|ESB/Framework/Dispatcher/InterfaceDispatcher_SG_IDT2_CPG_B|esbgc_as_uat2_dom|Synchronized|Thu 29-Apr-2021 05:01:45 EST|2

 

I created the below query to extract the field "App_Name" which is "ESB_HealthCheck|esbgc_as_uat2_dom"from the log:

| rex field=_raw "^[^\|\n]*\|(?P<App_Name>[^\|]+)"

Here, I am getting the value from the line one only. How will I be able to extract the value from all the lines in the log.

Please help me creating the query to get the desired output.

Your kind support will be highly appreciated.

 

Thank you.

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-03-2021 01:16 AM

Assuming there are line-breaks, try this:

| makeresults
| eval _raw="esbgc_ss_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_ss_uat2_dom|Synchronized|Sat 01-May-2021 08:13:18 EST|1
esbgc_as_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_as_uat2_dom|Synchronized|Sat 01-May-2021 08:13:32 EST|1"
| rex max_match=0 "(?m)^[^\|]+\|(?P<App_Name>[^\|]+)"

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-30-2021 05:17 AM

Are these lines all in one event? If so, you could use max_match=0 to give you a multi-value field of App_Names

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎04-30-2021 05:17 AM

Hi @Mrig342,

let me understand: the rows you shared are from one event or from more events?

if they come from more events, your regex is correct,

if instead your rows come from one event, you have to modify your regex, something like this:

| rex "(?ms)^[^\|\n]*\|(?P<App_Name>[^\|]+)"

but I think that, if all the rows come from only one event, the problem isn't the field extraction, but the event separation because you have a timestamp in each row.

Your props.con reaches to divide the events?

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

Mrig342
Contributor
‎05-02-2021 11:35 PM

Hi @gcusello,

Thank you very much for your reply and suggestion. 

The lines are of one event. You can consider as below:

log1: 

esbgc_ss_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_ss_uat2_dom|Synchronized|Sat 01-May-2021 08:13:18 EST|1 esbgc_as_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_as_uat2_dom|Synchronized|Sat 01-May-2021 08:13:32 EST|1

log2:

esbgc_ss_uat2_dom|ESB/Services/ProductBaseV6/Prov_CardServices_6A|esbgc_ss_uat2_dom|Synchronized|Fri 30-Apr-2021 10:58:10 EST|1

etc. and some logs might have 3 or more lines too.

When trying with the query you gave ("(?ms)^[^\|\n]*\|(?P<App_Name>[^\|]+)"), I am getting output as:

esbgc_ss_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_ss_uat2_dom|Synchronized|Sat 01-May-2021 08:13:18 EST|1 esbgc_as_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_as_uat2_dom|Synchronized|Sat 01-May-2021 08:13:32 EST|1

 

Also I tried to give a max_match=0 to consider multivalues using query (| rex field=_raw "(?ms)^[^\|\n]*\|(?P<App_Name>[^\|]+)"), I am getting output as:

esbgc_ss_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_ss_uat2_dom|Synchronized|Sat 01-May-2021 08:13:18 EST|1 esbgc_as_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_as_uat2_dom|Synchronized|Sat 01-May-2021 08:13:32 EST|1

Here, it is considering everything as App_Name.

Please help look into it and correct the query.

Thank you.

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-03-2021 12:00 AM

It is a little difficult to tell if there are line-breaks between the "lines" or whether it has simply word-wrapped. Assuming that there are line-breaks, (?m)^ takes care of them so you should only need to skip past the first pipe-delimited part on each line. 

| rex max_match=0 "(?m)^[^\|]*\|(?P<App_Name>[^\|]+)"

 

0 Karma
Reply
Solved! Jump to solution

Mrig342
Contributor
‎05-03-2021 01:07 AM

Hi @ITWhisperer,

Thank you for your suggestion.

However the query still gives output as before. 

esbgc_ss_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_ss_uat2_dom|Synchronized|Sat 01-May-2021 08:13:18 EST|1 esbgc_as_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_as_uat2_dom|Synchronized|Sat 01-May-2021 08:13:32 EST|1

Seems line break is the issue. Considering to configure the line breaks and will try then.

If you can suggest anything else, it's welcomed.

Thank you very much for your support.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎05-03-2021 01:16 AM

Assuming there are line-breaks, try this:

| makeresults
| eval _raw="esbgc_ss_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_ss_uat2_dom|Synchronized|Sat 01-May-2021 08:13:18 EST|1
esbgc_as_uat2_dom|ESB/Services/ProductBaseV6/Prov_DepositsAndRatesServices_6A|esbgc_as_uat2_dom|Synchronized|Sat 01-May-2021 08:13:32 EST|1"
| rex max_match=0 "(?m)^[^\|]+\|(?P<App_Name>[^\|]+)"
Reply
Solved! Jump to solution

Mrig342
Contributor
‎05-03-2021 11:14 PM

Hi @ITWhisperer,

This query works fine. Thank you very much for your support.

0 Karma
Reply
Solved! Jump to solution

manjunathmeti
Champion
‎04-30-2021 05:12 AM

hi @Mrig342,

Try this:

| rex "\/(?<App_Name>\w+\|\w+)"
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...