Solved: How to edit my regular expression to select the ti...

sankarms · ‎12-07-2016

I'm trying to create a line graph that represents number of requests throughout the day so we can see when we get the most requests. Here's what the log file looks like:

--69036a3a-A--
[27/Oct/2016:14:43:50 --0700] WBJ1FtFyTFUAABdj928AAADJ 
--69036a3a-B--

That contains the [Timestamp] UniqueId. I want to build the graph with the timestamp and then have a drilldown to show what the unique Id if you want to look at a particular request. I wrote this regex:

\W{2}\d{5}\w\d\w\W[A-B]\W{2}

But this selects --69036a3a-A-- and --69036a3a-B-- whereas I want it to select what's in between. How do I select that and create a line graph out of it?

Edit 1: I modified my regex to make it simpler:

[A]\W{2}\n(.*)\n\-\-

But this selects

A--
 [27/Oct/2016:14:43:50 --0700] WBJ1FtFyTFUAABdj928AAADJ 
 --

Whereas I want to exclude the A-- and --

sshelly_splunk · ‎12-07-2016

If using this in props.conf to extract field named "uniqueID"
Use this: (?ism)\[.+]\s+(?P<uniqueID>\S+)
To do this in search bar, use:
Your search ... | rex field=_raw "(?ism)\[.+]\s+(?P<uniqueID>\S+)"

Remove single tic marks for each example above.

View solution in original post

sshelly_splunk · ‎12-07-2016

If using this in props.conf to extract field named "uniqueID"
Use this: (?ism)\[.+]\s+(?P<uniqueID>\S+)
To do this in search bar, use:
Your search ... | rex field=_raw "(?ism)\[.+]\s+(?P<uniqueID>\S+)"

Remove single tic marks for each example above.

How to edit my regular expression to select the timestamp and UniqueID in order to create a line graph from it?

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor