Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract two values as field from following log and show average count of requests.

nandhiniG
Explorer
‎08-31-2020 02:41 AM

i want to extract two values from the below log message like TestUser as one field(featuename) and accounts_fetch as scenario name , and visualize the average requests for featurename +sceanrioname

"Successfully retrieved the account details for user: KL**19**19**19**19**11**11**11** with feature: TestUser, scenario: accounts_fetch"

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2020 04:20 AM

The pattern had extra double quotes in which were not needed

 

 

"Successfully retrieved the account details for user:"| rex
field=msg "feature: (?<featurename>[^,]+), scenario: (?<scenarioname>.+)" | table featurename scenarioname

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2020 03:30 AM 
... base search
| rex "feature: \"(?<featurename>[^,]+), scenario: (?<scenarioname>[^\"]+)\""
| eval combined=featurename + "+" + scenarioname

You can now use stats to count by combined over some time period (e.g. 1hr), then another stats to take average counts for that period over a longer period (e.g. 1 day) although it isn't clear if that is what you mean by average requests

0 Karma
Reply
Solved! Jump to solution

nandhiniG
Explorer
‎08-31-2020 04:14 AM

I used the suggested pattern with sma;ll changes for extracting field as table ,

"Successfully retrieved the account details for user:"| rex
field=msg "feature: \"(?<featurename>[^,]+), scenario: (?<scenarioname>[^\"]+)\"" | table featurename scenarioname

 

but the string value is not extracted in table i see empty tables

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2020 04:20 AM

The pattern had extra double quotes in which were not needed

 

 

"Successfully retrieved the account details for user:"| rex
field=msg "feature: (?<featurename>[^,]+), scenario: (?<scenarioname>.+)" | table featurename scenarioname

 

 

0 Karma
Reply
Solved! Jump to solution

nandhiniG
Explorer
‎08-31-2020 04:40 AM

Thank you !!! it works 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco &#43; Splunk! We’ve ...