Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Extracting from multiple fields and group by Domain name

thiagarajan
Explorer
‎09-23-2013 08:48 PM

My logs looks like this

Tue Aug 27 2013 00:34:47 [DEV][MyTest][error] mpgw(IntegrationGateway): tid(372165969)[error][10.11.12.123]: Either service is down or transaction timed out for Service:WorkspaceData
UUID:4c4b1672-9af1-4f95-a28b-d78611bd6a6
Backend:lprva1234.test.com:6090
Domain:SpaceK

Tue Aug 27 2013 00:35:28 [DEV][MyTest][error] mpgw(IntegrationGateway): tid(379832419)[error][10.14.24.263]: Either service is down or transaction timed out for Service:MyList
UUID:8f3dc371-845c-4768-928b-35938dacffb6
Backend:lprva4567.test.com:6087
Domain:SpaceH

Tue Aug 27 2013 00:54:39 [DEV][MyTest][error] mpgw(IntegrationGateway): tid(327317173)[error][10.11.12.123]: Either service is down or transaction timed out for Service:WorkspaceData
UUID:99dafd8f-9639-4d8e-ac5d-5d0d5a35ae77
Backend:lprva7891.test.com:6090
Domain:SpaceK

Sun Sep 01 2013 00:23:27 [DEV][MyTest][error] mpgw(IntegrationGateway): tid(112725141)[error][10.11.12.123]: Either service is down or transaction timed out for Service:MyConnnect
UUID:2e57e791-e6fe-4b0e-b401-77de0a2ba511
Backend:lprva8225.test.com:6091
Domain:SpaceL

Sun Sep 01 2013 00:23:37 [DEV][MyTest][error] mpgw(IntegrationGateway): tid(112727877)[error][10.11.12.123]: Either service is down or transaction timed out for Service:MyConnnect
UUID:523b378f-14d3-41c2-8357-e8642a595c5d
Backend:lprva8228.test.com:6091
Domain:SpaceL

The regex for timedoutservice is -> (?i)^(?:[^:]*:){5}(?P<timedoutservice>[^\s]+)
Search query is -> sourcetype="MyLog" ("transaction timed out for Service:" MyTest) |stats count as errorcount by timedoutservice

I am getting result something similar to this

timedoutservice                         errorcount
WorkspaceData                               2
MyList                                      1
MyConnnect                                  2

Expected result

timedoutservice                        errorcount        Domain
WorkspaceData                               2            SpaceK
MyList                                      1            SpaceH
MyConnnect                                  2            SpaceL

UUID and Backend will be changing but the domain name remains same for all the services.
The regex for domainName is -> (?i)\tDomain:(?P<Domain>.+)

I just tried to combine both the results

((?i)^(?:[^:]*:){5}(?P<timedoutservice>[^\s]+)(?i)\tDomain:(?P<Domain>.+))

I am getting the exception "Invalid regex: no named extraction at position 0 (i.e., "((?i)^(?:[..."). Expected "(?Ppattern)"
Do i need to use group by. How to extract from multiple fields. Any help is appreciated.

0 Karma
Reply

thiagarajan
Explorer
‎09-23-2013 09:58 PM

This is what I expected. Thank you very much for the quick reply. Can you explain why I am able get the host name without group by.

0 Karma
Reply

lukejadamec
Super Champion
‎09-23-2013 09:03 PM

The field

domain:value

Should be extracted automatically.

If it is not, have you tried the automated field extraction wizard? (down arrow key next to the event in a regular search)

If it is, then something like this should work:

sourcetype="MyLog" ("transaction timed out for Service:" MyTest) |stats count as errorcount by timedoutservice,domain
Reply

thiagarajan
Explorer
‎09-23-2013 10:16 PM

This is what I expected. Thank you for the quick reply. But can u tell how I am getting the domain name without any group by. Is it because domain name is unique.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...