Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Create Statistic Table Based on Regex

Wendy
Explorer
‎08-09-2021 06:33 PM

Hi experts, I am new to Splunk and came across this requirement at work.

Requirement:

I want to create a table showing numbers of 2 different versions of recaptcha being successfully and unsuccessfully processed.

Current Log info:

Each event has a field named "msg" which contains many information, including wording like "Exception: recaptcha v 2 validation failure," "Exception: recaptcha v 3 validation failure", "Recaptcha v2 verification: successful", Recaptcha v3 verification: successful" based on different events.

Tasks:
How can I create a regex expression to count number of all exceptions and number of different types of exceptions? Same tasks for successful message, but I can figure it out if someone can help with the previous question?

Thank you.

 

Labels (2)
Labels
Tags (2)
0 Karma
Reply

manjunathmeti
Champion
‎08-09-2021 07:23 PM

hi @Wendy,

You need to extract relevant values in the fields using rex and then use stats to count as per your requirements. Try this:

index=indexname
| rex field=msg "(?<message>(Exception:\s)?(?i)Recaptcha\s(?<version>v\s?\d)[\w\W]+(successful|failure))" 
| eval version=replace(version, "\s+", ""), status=if(match(message, "Exception:"), "FAIL", "SUCCESS") 
| eventstats count as status_count by status 
| stats latest(_time) as _time, latest(*) as * count as message_count by message

 

If this reply helps you, a like would be appreciated.

Reply

Wendy
Explorer
‎08-10-2021 06:01 AM

HI @manjunathmeti , that helps. I just need to dissemble your query to understand how it works.

0 Karma
Reply

manjunathmeti
Champion
‎08-10-2021 08:22 AM

1. Extract fields message and version from msg using rex command. Check this slink for detailed regex explanation:  https://regex101.com/r/VjmWn6/1/ :

| rex field=msg "(?<message>(Exception:\s)?(?i)Recaptcha\s(?<version>v\s?\d)[\w\W]+(successful|failure))"

2. Remove whitespace in field version. Evaluate status to FAIL/SUCCESS based on message field values:

| eval version=replace(version, "\s+", ""), status=if(match(message, "Exception:"), "FAIL", "SUCCESS")

3. Count FAIL/SUCCESS status. Check this link for details on eventstats command eventstats .
| eventstats count as status_count by status

4. Count events by the messages. Check this link for details on stats command stats .
| stats latest(_time) as _time, latest(*) as * count as message_count by message

0 Karma
Reply

venkatasri
SplunkTrust
SplunkTrust
‎08-09-2021 07:06 PM

Hi @Wendy 

can you share the sample raw event to write a regex. You can anonymize the critical info if any.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...