Splunk Enterprise

extract two values as field from following log and show average count of requests.

nandhiniG
Explorer

i want to extract two values from the below log message like TestUser as one field(featuename) and accounts_fetch as scenario name , and visualize the average requests for featurename +sceanrioname

"Successfully retrieved the account details for user: KL**19**19**19**19**11**11**11** with feature: TestUser, scenario: accounts_fetch"

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

The pattern had extra double quotes in which were not needed

 

 

"Successfully retrieved the account details for user:"| rex
field=msg "feature: (?<featurename>[^,]+), scenario: (?<scenarioname>.+)" | table featurename scenarioname

 

 

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
... base search
| rex "feature: \"(?<featurename>[^,]+), scenario: (?<scenarioname>[^\"]+)\""
| eval combined=featurename + "+" + scenarioname

You can now use stats to count by combined over some time period (e.g. 1hr), then another stats to take average counts for that period over a longer period (e.g. 1 day) although it isn't clear if that is what you mean by average requests

0 Karma

nandhiniG
Explorer

I used the suggested pattern with sma;ll changes for extracting field as table ,

"Successfully retrieved the account details for user:"| rex
field=msg "feature: \"(?<featurename>[^,]+), scenario: (?<scenarioname>[^\"]+)\"" | table featurename scenarioname

 

but the string value is not extracted in table i see empty tables

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

The pattern had extra double quotes in which were not needed

 

 

"Successfully retrieved the account details for user:"| rex
field=msg "feature: (?<featurename>[^,]+), scenario: (?<scenarioname>.+)" | table featurename scenarioname

 

 

0 Karma

nandhiniG
Explorer

Thank you !!! it works 

0 Karma
Get Updates on the Splunk Community!

Operationalizing TDIR: Building a More Resilient, Scalable SOC

Optimizing SOC workflows with a unified, risk-based approach to Threat Detection, Investigation, and Response ...

Almost Too Eventful Assurance: Part 1

Modern IT and Network teams still struggle with too many alerts and isolating issues before they are notified. ...

Demo Day: Strengthen Your SOC with Splunk Enterprise Security 8.1

Today’s threat landscape is more complex than ever. Security operation centers (SOCs) are overwhelmed with ...