Solved: How to edit my regular expression to select the ti...

sankarms · ‎12-07-2016

I'm trying to create a line graph that represents number of requests throughout the day so we can see when we get the most requests. Here's what the log file looks like:

--69036a3a-A--
[27/Oct/2016:14:43:50 --0700] WBJ1FtFyTFUAABdj928AAADJ 
--69036a3a-B--

That contains the [Timestamp] UniqueId. I want to build the graph with the timestamp and then have a drilldown to show what the unique Id if you want to look at a particular request. I wrote this regex:

\W{2}\d{5}\w\d\w\W[A-B]\W{2}

But this selects --69036a3a-A-- and --69036a3a-B-- whereas I want it to select what's in between. How do I select that and create a line graph out of it?

Edit 1: I modified my regex to make it simpler:

[A]\W{2}\n(.*)\n\-\-

But this selects

A--
 [27/Oct/2016:14:43:50 --0700] WBJ1FtFyTFUAABdj928AAADJ 
 --

Whereas I want to exclude the A-- and --

sshelly_splunk · ‎12-07-2016

If using this in props.conf to extract field named "uniqueID"
Use this: (?ism)\[.+]\s+(?P<uniqueID>\S+)
To do this in search bar, use:
Your search ... | rex field=_raw "(?ism)\[.+]\s+(?P<uniqueID>\S+)"

Remove single tic marks for each example above.

View solution in original post

sshelly_splunk · ‎12-07-2016

If using this in props.conf to extract field named "uniqueID"
Use this: (?ism)\[.+]\s+(?P<uniqueID>\S+)
To do this in search bar, use:
Your search ... | rex field=_raw "(?ism)\[.+]\s+(?P<uniqueID>\S+)"

Remove single tic marks for each example above.

How to edit my regular expression to select the timestamp and UniqueID in order to create a line graph from it?

Advanced Splunk Data Management Strategies

Uncovering Multi-Account Fraud with Splunk Banking Analytics

Secure Your Future: A Deep Dive into the Compliance and Security Enhancements for the ...