Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Need help to get the Splunk report in below format based on above inputs where values (TransactionTypeCode & TxnId ) are dynamic in nature:

harishnpandey
Explorer
‎07-18-2017 07:48 AM

TxnProcess I >>>>>>>>> TransactionTypeCode for TxnId 3501574041788 is ABC
TxnProcess I >>>>>>>>> TransactionTypeCode for TxnId 3501689567745 is XYZ
TxnProcess I >>>>>>>>> TransactionTypeCode for TxnId 3501689456789 is PNR

Need help to get the Splunk report in below format based on above inputs where values (TransactionTypeCode & TxnId ) are dynamic in nature:

TransactionTypeCode TxnId

ABC 3501574041788
XYZ 3501689567745
PNR 3501689456789

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-18-2017 08:05 AM

Here's one way, but I'm sure there are many others.

<your base search> | rex "TxnId (?<TxnId>\d+) is (?<TransactionTypeCode>\w+)" | table TransactionTypeCode TxnId
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎07-18-2017 08:05 AM

Here's one way, but I'm sure there are many others.

<your base search> | rex "TxnId (?<TxnId>\d+) is (?<TransactionTypeCode>\w+)" | table TransactionTypeCode TxnId
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

harishnpandey
Explorer
‎07-18-2017 10:59 AM

Thank you so much Rich,

It works perfectly . Just out of curiosity what w+ stand for (I have just started rex uses in Splunk)

Also ill it be easy way to get below o/p from given I/P. Appreciate your help

Input:
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = EMAIL
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = SMS
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = VOICE

Output

Notification Type TypeCode
MQ EMAIL
MQ SMS
MQ VOICE

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎07-18-2017 11:18 AM

\w+ means "at least one word character". A word character is any alphanumeric character (a-zA-Z0-9) or underscore (_).

A good resource for regular expressions is regex101.com.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

harishnpandey
Explorer
‎07-18-2017 11:53 AM

OK. This helps a lot .

For below input I tried search query as

index=myindex "Notification"|rex "(MQ) (?\d+) = (?\w+)"|stats count(Notification)

However, its not working says "no result found". The moment I take off ==> stats count(Notification)
it shows values

Input:
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = EMAIL
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = SMS
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = VOICE

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...