Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fetch the details

svodela
Explorer
‎01-02-2024 02:57 AM

We are trying to create a dashboard to understand the usage of our application version something like shown below

Application NameVersion
sgs1.0.18

 

When we search for particular index ""sgs1.0.18*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" we get below result.

<< uri="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", SERVICE_PREFIX="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", path="get api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106", resourceMethod="get", HTTP_METHOD="get", resourceUri="api/mydetails/1.0.0/apime/employee-details?correlation-sit=sgs1.0.18u%26h%3d106"

Could you please help us to give sample splunk query to achieve the results .

 

Thanks

 

 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

svodela
Explorer
‎01-02-2024 05:08 AM

Thank you Giuseppe. Appreciate your support. This query has helped us to do what we are looking for.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

svodela
Explorer
‎01-02-2024 05:27 AM

@gcusello - I was able to fine the way with rename 

"sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)" | table app version userId date_mday| dedup userId | sort version | fields "app", "date_mday", "userId", "version" | rename "date_mday" AS "Date"
0 Karma
Reply
Solved! Jump to solution

svodela
Explorer
‎01-02-2024 05:17 AM

Hello @gcusello ,

 

Sorry to come back , is there any way to change the table label.

example of my search:

"sgs1.0.*" source="/data/wso2/api_manager/current/repository/logs/wso2carbon.log" | rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)" | table app version userId date_mday| dedup userId | sort version

can my table looks like below 

appversionuseridDate ( rather than date_mday)
    
    
0 Karma
Reply
Solved! Jump to solution

dtburrows3
Builder
‎01-02-2024 05:36 AM

Add this line to the end of the query

| rename date_mday as Date
0 Karma
Reply
Solved! Jump to solution
Solution

svodela
Explorer
‎01-02-2024 05:08 AM

Thank you Giuseppe. Appreciate your support. This query has helped us to do what we are looking for.

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-02-2024 05:12 AM

Hi @svodela,

good for you, see next time!

let me know if I can help you more, or, please, accept one answer for the other people of Community.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎01-02-2024 04:05 AM

Hi @svodela,

if you're sure that you applications haven't numbers in their name and that version is always in the format "nn.nn.nn", you could use a regex like the following to extract apps and versions and run a search like the following:

<your_search>
| rex "correlation-sit=(?<app>[A-Za-z]+)(?<version>\d+\.\d+\.\d+)"
| table app version

you can check the regex at https://regex101.com/r/FNieNJ/1

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Your Guide to Splunk Digital Experience Monitoring

A flawless digital experience isn't just an advantage, it's key to customer loyalty and business success. But ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...