Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Chart of multiple field values in one line

hofer
Explorer
‎03-12-2015 05:43 AM

I'd like to make a chart on how many times a state-text occurs. The thing is, there can be more than one state-text in one log line. At least there is one state-text ("state-text0":"xyz"), but it's possible to have up to 10 state-texts ("state-text9":"xyz") occuring in that field of a csv I extract before with regex ("TPIOUT").
Two sample lines:

...|{...","id":"13543","recipient0":"41790094703","state0":"0","state-text0":"Ok","recipient1":"41790034932","state1":"0","state-text1":"Ok","recipient2":"41790028491","state2":"4","state-text2":"invalid short id","recipient3":"41790045754","state3":"0","state-text3":"Ok"}|...

...|{...","id":"13544","recipient0":"417924524503","state0":"4","state-text0":"Error due sys fail","recipient1":"41792534932","state1":"0","state-text1":"Ok","recipient2":"41135135491","state2":"0","state-text2":"Ok"}|...

So I want to see a chart like this:
OK: 5
invalid short id: 1
Error due sys fail: 1

"state-text[0-9]" is independent of "state[0-9]"

I tried something like this, but it didn't return a chart with values:
... | regex _raw="(?i)^(?:[^|]|){50}(?P[^|])" | rex max_match=10 state-text\d":"(?\w+) | eval state_text='states' | chart count by state_text

Thanks in advance for your help!

Tags (4)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-12-2015 07:03 AM

Your chart command didn't chart any values because it only contained a single non-numeric value ("states"). I'm not sure what the regex command is supposed to do. The rex command looks OK, but needs to extract fields to be charted. Try this:

... | rex max_match=10 "state-text\d\":\"(?P<state_text>[]\w ]+)" | chart count by state_text
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎03-12-2015 07:03 AM

Your chart command didn't chart any values because it only contained a single non-numeric value ("states"). I'm not sure what the regex command is supposed to do. The rex command looks OK, but needs to extract fields to be charted. Try this:

... | rex max_match=10 "state-text\d\":\"(?P<state_text>[]\w ]+)" | chart count by state_text
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

hofer
Explorer
‎03-19-2015 03:58 AM

Thank you very much for your help! I could make it work like that. With your explanation I also understand the way of how the rex works in this command.
The regex before gave only the content of that field to the next pipe

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...