Solved: Eval on a string and stats

nbharadwaj · ‎05-07-2010

I have a several log lines like this:

X:20100507193758.385:50:INFO:DTM:AppServerStartupTaskManager-pool-1-thread-1:Release Version Information Release Name: 164.18.1 Deployment Changelist:

How do I parse this to report on the Release Name string? I want to generate stats on how many releases I have had in a month/quarter.

Something like this does not give me what I want, I have to input some regular expressions here I think:

index="x" "Release Name: 164." | eval releaseName="Release Name: 164.*" | stats distinct_count(hosts) by releaseName, instance

dwaddle · ‎05-07-2010

Use a regular expression (regex) to extract this as a search-time field. Try something like

 index="x" | rex field=_raw "Release Name: (?<release_name>[^\s]+)" | stats distinct_count(hosts) by release_name, instance

You may want to review the docs at http://www.splunk.com/base/Documentation/4.0.10/Knowledge/Addfieldsatsearchtime

View solution in original post

dwaddle · ‎05-07-2010

Use a regular expression (regex) to extract this as a search-time field. Try something like

 index="x" | rex field=_raw "Release Name: (?<release_name>[^\s]+)" | stats distinct_count(hosts) by release_name, instance

You may want to review the docs at http://www.splunk.com/base/Documentation/4.0.10/Knowledge/Addfieldsatsearchtime

Eval on a string and stats

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR

Are you a member of the Splunk Community?

Eval on a string and stats

Index This | When is October more than just the tenth month?

Observe and Secure All Apps with Splunk

What’s New & Next in Splunk SOAR