Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Need help with log having multiple occurrence of same field

abishekmaggo
New Member
‎04-06-2018 04:20 PM

I have following logs where field4 is coming twice in each log line.

Example:
2018-04-06T23:01:36.264+0000 logLevel=INFO Response=(( filed1=XXX, field2=ZZZZ), field3=jeSession, field4=abc_xxx, field6=ddd.com, field6=)) field7=service1 field4=xyz_xxx field8=ser1
2018-04-06T23:01:36.264+0000 logLevel=INFO Response=(( filed1=YYY, field2=ZZZZ1), field3=tuSession, field4=abc_yyy, field6=ccc.com, field6=)) field7=service2 field4=xyz_yyy field8=ser2

How I can make sure it always pick first field4 for value (one with value as "acd_xxx", "abc_yyy"). I tried using mvindex but it works with multiple value in field itself (e.g. field4=xxx,yyy)

I want to display count by first field4 only

index=XXXXX | eval res=mvindex(field4,0) | stats count by res

Tags (3)
0 Karma
Reply

niketn
Legend
‎04-07-2018 09:23 AM

@abishekmaggo, first occurrence of field4 is followed by field6 while the second occurrence of field4 is followed by field8. So maybe you can use that to your advantage.

<yourBaseSearch>
| rex "field4=(?<field4>[^,]+),field6="
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

adonio
Ultra Champion
‎04-06-2018 06:52 PM

hello there,

i am positive there other ways to solve it, here is a quick one assuming your data looks always like your samples
use the |rex command to point only to your first field4 maybe something like this:

index = XXXXX
| rex "field3=\S+,\sfield4=(?<field4>\S+),"
| stats count by field4

see link:
https://regex101.com/r/uMivWN/1
note: my regex might not be the best one

hope it helps

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...