Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

extract two values as field from following log and show average count of requests.

nandhiniG
Explorer
‎08-31-2020 02:41 AM

i want to extract two values from the below log message like TestUser as one field(featuename) and accounts_fetch as scenario name , and visualize the average requests for featurename +sceanrioname

"Successfully retrieved the account details for user: KL**19**19**19**19**11**11**11** with feature: TestUser, scenario: accounts_fetch"

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2020 04:20 AM

The pattern had extra double quotes in which were not needed

 

 

"Successfully retrieved the account details for user:"| rex
field=msg "feature: (?<featurename>[^,]+), scenario: (?<scenarioname>.+)" | table featurename scenarioname

 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2020 03:30 AM 
... base search
| rex "feature: \"(?<featurename>[^,]+), scenario: (?<scenarioname>[^\"]+)\""
| eval combined=featurename + "+" + scenarioname

You can now use stats to count by combined over some time period (e.g. 1hr), then another stats to take average counts for that period over a longer period (e.g. 1 day) although it isn't clear if that is what you mean by average requests

0 Karma
Reply
Solved! Jump to solution

nandhiniG
Explorer
‎08-31-2020 04:14 AM

I used the suggested pattern with sma;ll changes for extracting field as table ,

"Successfully retrieved the account details for user:"| rex
field=msg "feature: \"(?<featurename>[^,]+), scenario: (?<scenarioname>[^\"]+)\"" | table featurename scenarioname

 

but the string value is not extracted in table i see empty tables

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2020 04:20 AM

The pattern had extra double quotes in which were not needed

 

 

"Successfully retrieved the account details for user:"| rex
field=msg "feature: (?<featurename>[^,]+), scenario: (?<scenarioname>.+)" | table featurename scenarioname

 

 

0 Karma
Reply
Solved! Jump to solution

nandhiniG
Explorer
‎08-31-2020 04:40 AM

Thank you !!! it works 

0 Karma
Reply
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...
Top