Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract two values as field from following log and show average count of requests.

nandhiniG
Explorer
‎08-31-2020 02:41 AM

i want to extract two values from the below log message like TestUser as one field(featuename) and accounts_fetch as scenario name , and visualize the average requests for featurename +sceanrioname

"Successfully retrieved the account details for user: KL**19**19**19**19**11**11**11** with feature: TestUser, scenario: accounts_fetch"

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2020 04:20 AM

The pattern had extra double quotes in which were not needed

 

 

"Successfully retrieved the account details for user:"| rex
field=msg "feature: (?<featurename>[^,]+), scenario: (?<scenarioname>.+)" | table featurename scenarioname

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2020 03:30 AM 
... base search
| rex "feature: \"(?<featurename>[^,]+), scenario: (?<scenarioname>[^\"]+)\""
| eval combined=featurename + "+" + scenarioname

You can now use stats to count by combined over some time period (e.g. 1hr), then another stats to take average counts for that period over a longer period (e.g. 1 day) although it isn't clear if that is what you mean by average requests

0 Karma
Reply
Solved! Jump to solution

nandhiniG
Explorer
‎08-31-2020 04:14 AM

I used the suggested pattern with sma;ll changes for extracting field as table ,

"Successfully retrieved the account details for user:"| rex
field=msg "feature: \"(?<featurename>[^,]+), scenario: (?<scenarioname>[^\"]+)\"" | table featurename scenarioname

 

but the string value is not extracted in table i see empty tables

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2020 04:20 AM

The pattern had extra double quotes in which were not needed

 

 

"Successfully retrieved the account details for user:"| rex
field=msg "feature: (?<featurename>[^,]+), scenario: (?<scenarioname>.+)" | table featurename scenarioname

 

 

0 Karma
Reply
Solved! Jump to solution

nandhiniG
Explorer
‎08-31-2020 04:40 AM

Thank you !!! it works 

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...