Splunk Enterprise

extract two values as field from following log and show average count of requests.

nandhiniG
Explorer

i want to extract two values from the below log message like TestUser as one field(featuename) and accounts_fetch as scenario name , and visualize the average requests for featurename +sceanrioname

"Successfully retrieved the account details for user: KL**19**19**19**19**11**11**11** with feature: TestUser, scenario: accounts_fetch"

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The pattern had extra double quotes in which were not needed

 

 

"Successfully retrieved the account details for user:"| rex
field=msg "feature: (?<featurename>[^,]+), scenario: (?<scenarioname>.+)" | table featurename scenarioname

 

 

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
... base search
| rex "feature: \"(?<featurename>[^,]+), scenario: (?<scenarioname>[^\"]+)\""
| eval combined=featurename + "+" + scenarioname

You can now use stats to count by combined over some time period (e.g. 1hr), then another stats to take average counts for that period over a longer period (e.g. 1 day) although it isn't clear if that is what you mean by average requests

0 Karma

nandhiniG
Explorer

I used the suggested pattern with sma;ll changes for extracting field as table ,

"Successfully retrieved the account details for user:"| rex
field=msg "feature: \"(?<featurename>[^,]+), scenario: (?<scenarioname>[^\"]+)\"" | table featurename scenarioname

 

but the string value is not extracted in table i see empty tables

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The pattern had extra double quotes in which were not needed

 

 

"Successfully retrieved the account details for user:"| rex
field=msg "feature: (?<featurename>[^,]+), scenario: (?<scenarioname>.+)" | table featurename scenarioname

 

 

0 Karma

nandhiniG
Explorer

Thank you !!! it works 

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...