Solved: Chart count by specific colon separated field (sys...

onbits · ‎02-10-2014

Hi,

Im new to splunk and Im not a developer, and I got stuck trying to make a simple graphical display in dashboard showing syslog sources, using syslogs given hostnames. In example below (AP01-MATRIX).

If i use the "chart count by host" it gives me a graphic with 197.116.14.182 but I need to use AP01-MATRIX instead. I thought about using something simple like get the 4th item separated by colon, but I dont know how.

Feb 10 12:22:26 197.116.14.182 274: AP01-MATRIX: Mar 4 12:22:26.490 UTC: %DOT11-4-CCMP_REPLAY: Client baf6.85f8.1da6 had 1 AES-CCMP TSC replays

host = **197.116.14.182* source = udp:514 sourcetype = syslog

Thanks in advance.

sbrant_splunk · ‎02-10-2014

This should work from the search bar but in the long term, you'll want to set the proper host metadata at the time of input.

... | rex "^(?:[^\s]+\s){5}(?<new_host>[^:]+)" | stats count by new_host

View solution in original post

sbrant_splunk · ‎02-10-2014

This should work from the search bar but in the long term, you'll want to set the proper host metadata at the time of input.

... | rex "^(?:[^\s]+\s){5}(?<new_host>[^:]+)" | stats count by new_host

onbits · ‎02-10-2014

Thanks a lot! It worked exactly as I wanted! 🙂

sbrant_splunk · ‎02-10-2014

Whoops, sorry about that. Updated the answer.

onbits · ‎02-10-2014

Tried this:
sourcetype=syslog | ^(?:[^\s]+\s){5}(?[^:]+) | stats count by new_host

And got this:
Error in 'SearchParser': Missing a search command before '^'.

Chart count by specific colon separated field (syslog)

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?