Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create Statistic Table Based on Regex

Wendy
Explorer
‎08-09-2021 06:33 PM

Hi experts, I am new to Splunk and came across this requirement at work.

Requirement:

I want to create a table showing numbers of 2 different versions of recaptcha being successfully and unsuccessfully processed.

Current Log info:

Each event has a field named "msg" which contains many information, including wording like "Exception: recaptcha v 2 validation failure," "Exception: recaptcha v 3 validation failure", "Recaptcha v2 verification: successful", Recaptcha v3 verification: successful" based on different events.

Tasks:
How can I create a regex expression to count number of all exceptions and number of different types of exceptions? Same tasks for successful message, but I can figure it out if someone can help with the previous question?

Thank you.

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply

manjunathmeti
Champion
‎08-09-2021 07:23 PM

hi @Wendy,

You need to extract relevant values in the fields using rex and then use stats to count as per your requirements. Try this:

index=indexname
| rex field=msg "(?<message>(Exception:\s)?(?i)Recaptcha\s(?<version>v\s?\d)[\w\W]+(successful|failure))" 
| eval version=replace(version, "\s+", ""), status=if(match(message, "Exception:"), "FAIL", "SUCCESS") 
| eventstats count as status_count by status 
| stats latest(_time) as _time, latest(*) as * count as message_count by message

 

If this reply helps you, a like would be appreciated.

Reply

Wendy
Explorer
‎08-10-2021 06:01 AM

HI @manjunathmeti , that helps. I just need to dissemble your query to understand how it works.

0 Karma
Reply

manjunathmeti
Champion
‎08-10-2021 08:22 AM

1. Extract fields message and version from msg using rex command. Check this slink for detailed regex explanation:  https://regex101.com/r/VjmWn6/1/ :

| rex field=msg "(?<message>(Exception:\s)?(?i)Recaptcha\s(?<version>v\s?\d)[\w\W]+(successful|failure))"

2. Remove whitespace in field version. Evaluate status to FAIL/SUCCESS based on message field values:

| eval version=replace(version, "\s+", ""), status=if(match(message, "Exception:"), "FAIL", "SUCCESS")

3. Count FAIL/SUCCESS status. Check this link for details on eventstats command eventstats .
| eventstats count as status_count by status

4. Count events by the messages. Check this link for details on stats command stats .
| stats latest(_time) as _time, latest(*) as * count as message_count by message

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-09-2021 07:06 PM

Hi @Wendy 

can you share the sample raw event to write a regex. You can anonymize the critical info if any.

0 Karma
Reply
Get Updates on the Splunk Community!

New Year, New Changes for Splunk Certifications

As we embrace a new year, we’re making a small but important update to the Splunk Certification ...

Stay Connected: Your Guide to January Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...

[Puzzles] Solve, Learn, Repeat: Reprocessing XML into Fixed-Length Events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...