- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Can you help me create a regular expression to...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
log1:
com.google.AbcdExtension] [mthd] | null - Bound **CLINIC-MBR-GROUP-INC**:23490110094900 -- total execution took **14** seconds
log2:
com.google.AbcdExtension] [mthd] | null - Bound DEAF-RECO:12310110094900 -- writing 3 records took 14 seconds
log3:
com.google.AbcdExtension] [mthd] | val - Bound EYE-TRIO-GRP-INCREMENTAL:201901342421 -- backup strategy execution took 0 seconds
log4:
com.google.AbcdExtension] [mthd] | val - Bound **HOSPITAL-CARE-GROUP**:201123131323 -- total execution took **3425** seconds
From the above 4 logs, i want to extract log1 and log4 values, like the below table (highlighted)
HospName Timee
CLINIC-MBR-GROUP-INC 14
HOSPITAL-CARE-GROUP 3425
I have tried the below query, but it's giving junk also:
index="*randix*" source="*.log*" sourcetype="abcd-xyz*" "com.google.AbcdExtension" | rex "- Bound (?<HospName>[^\:]*)" | rex "-- total execution took (?<Timee>[\w]*)" | table HospName Timee
Could you please correct my query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@arjun_krishna ,
Try
"Bound\s(?<HospName>[\w-]+):\d+ -- total execution took\s(?<Time>\d+)\s"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you explain how we know for sure which entries are junk and which entries are not junk? It is just those two things, "CLINIC-MBR-GROUP-INC" and "HOSPITAL-CARE-GROUP" that are OK, and everything else is junk, or is it that EYE* and DEAF* are junk and everything else is good?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
"Bound\s(?[\w-]+):\d+ -- total execution took\s(?\d+)\s"
with this query i am exacting the required HospName, TIme attribues , but in table representation getting other logs too. due to this table becomes empty for most rows
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index="*randix*" source="*.log*" sourcetype="abcd-xyz*" "com.google.AbcdExtension" | rex "- Bound (?<HospName>[^\:]*)" | rex "-- total execution took (?<Timee>[\w]*)" | search HospName=* | table HospName Timee
Which just searches for the ones where HospName is in the data, after you've extracted?
You could flip that and just search for the data you want first, then extract:
index="*randix*" source="*.log*" sourcetype="abcd-xyz*" "com.google.AbcdExtension" ("HOSPITAL-CARE-GROUP" OR "CLINIC-MBR-GROUP-INC")
| rex "- Bound (?<HospName>[^\:]*)" | rex "-- total execution took (?<Timee>[\w]*)" | table HospName Time
NOTE in both cases I did not make any other changes to your extraction or search, just copied and pasted it from above so you can compare and see what I did. It might work as is, but also there are other suggestions for chunks of it that people have already posted - those might work better with the additions I made.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see nothing wrong with your query. Like @renjith.nair said, you could use \d instead of \w, but both should work. What results are you getting and what are you expecting?
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@arjun_krishna ,
Try
"Bound\s(?<HospName>[\w-]+):\d+ -- total execution took\s(?<Time>\d+)\s"
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
With above query getting exact logs, but getting junk logs, due to that my table becomes empty for most of the rows
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the help @renjith.nair , I want ti take a timechart/linechart to get HospName is x-axis and Time (the time taken for each) in y-axis
I have tried below
|timechart count by HospName, Time but not getting any chart
Please help me on this
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@arjun_krishna , timechart is for plotting the values over a period of time. In your case ,
chart max(Time) by HostName should work
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, just add "total execution took" this to your base search to filter only those events where you have values
index="*randix*" source="*.log*" sourcetype="abcd-xyz*" "com.google.AbcdExtension" "total execution took"
What goes around comes around. If it helps, hit it with Karma 🙂
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
