How to rex multiple fields and represent in a char...

pranay04 · ‎01-31-2019

I am trying to chart my output from logs to rex for different errors like
i. "com.ibm.mq.MQException" as MQError
ii. "ORA Error" as DB error
iii. "OutOfMemory Error" as OOM

The above errors are part of the log event and are not classified by any fields.

woodcock · ‎02-12-2019

Maybe this:

index=AlwaysSpecifyAnIndex AND sourcetype=AndSourcetypeToo
| eval error=case(
   searchmatch("com.ibm.mq.MQException"), "MQError",
   searchmatch("ORA Error"),              "DB error",
   searchmatch("OutOfMemory Error"),      "OOM",
   true(),                                "Unknown")
| stats count BY error

MuS · ‎01-31-2019

Hi pranay04,

That's pretty easy and straight forward in Splunk 🙂
Based on your provided examples take this run everywhere command:

| makeresults 
| eval flubber="com.ibm.mq.MQException,ORA Error,OutOfMemory Error" 
| makemv delim="," flubber 
| mvexpand flubber 
| rename comment AS "Everything above this was used to create dummy data!" 
| eval status=case(match(flubber, "com.ibm.mq.MQException"), "MQError", match(flubber, "ORA Error"), "DB error",match(flubber, "OutOfMemory Error"), "OOM", 1=1, " ¯\_(ツ)_/¯ ") 
| chart count by status

The result will look like this:

Hope this helps ...

cheers, MuS

woodcock · ‎01-31-2019

Please start over and add many more words of description. I have no idea what you need. Always provide final output mockups so that even if your descriptions are lacking, we can get the gist.

How to rex multiple fields and represent in a chart?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!