Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Create a field and then make a graph based on the different inputs to that field over time.

KindaWorking
Path Finder
‎11-25-2014 07:20 PM

I am very new to both regex and splunk...
If I have a particular field in the middle of a bunch of data. How do I make that field tied to say the next ~7 characters following it. When I use the field extractor it does not realize that I want to get meaningful data from the information directly after the field's name.

For instance if I have something like image=RandomImageName what is the best way to report on how often the different RandomImageNames appear over time.

I would really appreciate it if someone could just point me in the right direction.

Tags (3)
0 Karma
Reply

musskopf
Builder
‎11-25-2014 07:26 PM

Hello KindaWorking,

For the first question, could you pls provide some example of the Raw event data to assist with the Regex?

Regarding the second question, I'm assuming "image" is a field already extracted from your events, you should be able to just run a command like:

index=main "your search if applicable" | timechart count by image

Have a look on http://docs.splunk.com/Documentation/Splunk/6.2.0/SearchReference/Timechart to see all options for timechart

Cheers,

0 Karma
Reply

KindaWorking
Path Finder
‎11-26-2014 03:08 PM

Thanks for the help so far. Here is an example:

0.0.0.0 - - [27/Nov/2014:09:48:50 +1100] "GET /pdf.cfm?handle=afcacyc2&IMAGE=RANDOMIMAGENAME-V%20200&src=Direct HTTP/1.1" 302 69 "-" "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)";

If you see there is in the middle there IMAGE=RANDOMIMAGENAME
I want to be able to report on the data RANDOMIMAGENAME.
Thanks for the help

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...