Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create Statistic Table Based on Regex

Wendy
Explorer
‎08-09-2021 06:33 PM

Hi experts, I am new to Splunk and came across this requirement at work.

Requirement:

I want to create a table showing numbers of 2 different versions of recaptcha being successfully and unsuccessfully processed.

Current Log info:

Each event has a field named "msg" which contains many information, including wording like "Exception: recaptcha v 2 validation failure," "Exception: recaptcha v 3 validation failure", "Recaptcha v2 verification: successful", Recaptcha v3 verification: successful" based on different events.

Tasks:
How can I create a regex expression to count number of all exceptions and number of different types of exceptions? Same tasks for successful message, but I can figure it out if someone can help with the previous question?

Thank you.

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply

manjunathmeti
Champion
‎08-09-2021 07:23 PM

hi @Wendy,

You need to extract relevant values in the fields using rex and then use stats to count as per your requirements. Try this:

index=indexname
| rex field=msg "(?<message>(Exception:\s)?(?i)Recaptcha\s(?<version>v\s?\d)[\w\W]+(successful|failure))" 
| eval version=replace(version, "\s+", ""), status=if(match(message, "Exception:"), "FAIL", "SUCCESS") 
| eventstats count as status_count by status 
| stats latest(_time) as _time, latest(*) as * count as message_count by message

 

If this reply helps you, a like would be appreciated.

Reply

Wendy
Explorer
‎08-10-2021 06:01 AM

HI @manjunathmeti , that helps. I just need to dissemble your query to understand how it works.

0 Karma
Reply

manjunathmeti
Champion
‎08-10-2021 08:22 AM

1. Extract fields message and version from msg using rex command. Check this slink for detailed regex explanation:  https://regex101.com/r/VjmWn6/1/ :

| rex field=msg "(?<message>(Exception:\s)?(?i)Recaptcha\s(?<version>v\s?\d)[\w\W]+(successful|failure))"

2. Remove whitespace in field version. Evaluate status to FAIL/SUCCESS based on message field values:

| eval version=replace(version, "\s+", ""), status=if(match(message, "Exception:"), "FAIL", "SUCCESS")

3. Count FAIL/SUCCESS status. Check this link for details on eventstats command eventstats .
| eventstats count as status_count by status

4. Count events by the messages. Check this link for details on stats command stats .
| stats latest(_time) as _time, latest(*) as * count as message_count by message

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-09-2021 07:06 PM

Hi @Wendy 

can you share the sample raw event to write a regex. You can anonymize the critical info if any.

0 Karma
Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...