Solved: Field Extractor - extract digit from brackets

darspla · ‎08-11-2021

Hi,
I would like to extract particular digit from brackets, index it as follows and based on that create stats hourly.
Each time is picking this up with bracket as a string.

This is service which is making entry every hour, once will recognize to add up will present digit , if not will be 0.
My goal would be to have stats from every hour on the graph to see how does it changes.

gcusello · ‎08-13-2021

Hi @darspla,

good for you, see next time.

If this answer solves your question, please, accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

darspla · ‎08-12-2021

Hi @gcusello ,
Yes, works very nicely. Would you have any idea how to retrieve stats daily from action like below when :
"[36972 ] users to update "

[ 9216 ] users to delete, [ 2 ] users to add, [ 36972 ] users to update in DB cache in [ 6847ms ]

Retrieve data when is higher than '100' ?
Bit concern which graph to choose to make it readable for many people.

gcusello · ‎08-12-2021

Hi @darspla,

I don't know your logs and your requirements.

I suppose that you could have a time distribution day by day or hour by hour, it depends on how frequently you receive the above logs.

So, if e.e. you receive the above logs once in a day, you could run something like this:

index=your_index
| rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update"
| timechart span=1d max(users_to_add) AS users_to_add

or something like this:

index=your_index
| rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update"
| bin span=1d _time
| stats max(users_to_delete) AS users_to_delete max(users_to_add) AS users_to_add max(users_to_update) AS users_to_update BY _time

Ciao.

Giuseppe

darspla · ‎08-13-2021

Thanks a lot @gcusello , that gave some vision. Modified in 2 other ways so fetched info needed.

gcusello · ‎08-13-2021

Hi @darspla,

good for you, see next time.

If this answer solves your question, please, accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

gcusello · ‎08-12-2021

Hi @darspla,

you have to use a regex to extract the fields you need.

I could be more precise if you share two or three examples of your logs (in text format, not image),

Anyway try something like this:

| rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update"

Ciao.

Giuseppe

darspla · ‎08-12-2021

Hi @gcusello ,

Thanks for quick reply.

2021-08-12 7:17:34.338 AM 2021-08-12 07:17:34,338+0200 Caesium-1-1 INFO ServiceRunner [c.a.c.d.xxx.cache.xxx] scanned and compared [ 9506 ] users to delete, [ 0 ] users to add, [ 378 ] users to update in DB cache in [ 1166ms ]

2021-08-12 06:17:34,305+0200 Caesium-1-1 INFO ServiceRunner [c.a.c.d.xxx.cache.xxx] scanned and compared [ 9506 ] users to delete, [ 0 ] users to add, [ 125 ] users to update in DB cache in [ 1129ms ]

gcusello · ‎08-12-2021

Hi @darspla,

as you can see at https://regex101.com/r/hQylcj/1 the above regex is correct.

Ciao.

Giuseppe

Field Extractor - extract digit from brackets

field extraction

regex

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms