Solved: Re: Fetch the details

svodela · ‎01-02-2024

We are trying to create a dashboard to understand the usage of our application version something like shown below

Application Name	Version
sgs	1.0.18

When we search for particular index ""sgs1.0.18*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" we get below result.

<< uri="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", SERVICE_PREFIX="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", path="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", resourceMethod="get", HTTP_METHOD="get", resourceUri="api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106"

Could you please help us to give sample splunk query to achieve the results .

Thanks

svodela · ‎01-02-2024

Thank you Giuseppe. Appreciate your support. This query has helped us to do what we are looking for.

View solution in original post

svodela · ‎01-02-2024

@gcusello - I was able to fine the way with rename

"sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)" | table app version userId date_mday| dedup userId | sort version | fields "app", "date_mday", "userId", "version" | rename "date_mday" AS "Date"

svodela · ‎01-02-2024

Hello @gcusello ,

Sorry to come back , is there any way to change the table label.

example of my search:

"sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)" | table app version userId date_mday| dedup userId | sort version

can my table looks like below

app	version	userid	Date ( rather than date_mday)

dtburrows3 · ‎01-02-2024

Add this line to the end of the query

| rename date_mday as Date

svodela · ‎01-02-2024

Thank you Giuseppe. Appreciate your support. This query has helped us to do what we are looking for.

gcusello · ‎01-02-2024

Hi @svodela,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎01-02-2024

Hi @svodela,

if you're sure that you applications haven't numbers in their name and that version is always in the format "nn.nn.nn", you could use a regex like the following to extract apps and versions and run a search like the following:

<your_search>
| rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)"
| table app version

you can check the regex at https://regex101.com/r/FNieNJ/1

Ciao.

Giuseppe

Fetch the details

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

Join the Conversation