Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Field Extractor - extract digit from brackets

darspla
Explorer
‎08-11-2021 11:57 PM

Hi,
I would like to extract particular digit from brackets, index it as follows and based on that create stats hourly.
Each time is picking this up with bracket as a string.

This is service which is making entry every hour, once will recognize to add up will present digit , if not will be 0.
My goal would be to have stats from every hour on the graph to see how does it changes.

darspla_0-1628751294001.png

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-13-2021 12:32 AM

Hi @darspla,

good for you, see next time.

If this answer solves your question, please, accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

0 Karma
Reply
Solved! Jump to solution

darspla
Explorer
‎08-12-2021 01:22 AM

Hi @gcusello ,
Yes, works very nicely. Would you have any idea how to retrieve stats daily from action like below when :
"[36972 ] users to update "

[ 9216 ] users to delete, [ 2 ] users to add, [ 36972 ] users to update in DB cache in [ 6847ms ]


Retrieve data when is higher than '100' ?
Bit concern which graph to choose to make it readable for many people.



0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2021 07:35 AM

Hi @darspla,

I don't know your logs and your requirements.

I suppose that you could have a time distribution day by day or hour by hour, it depends on how frequently you receive the above logs.

So, if e.e. you receive the above logs once in a day, you could run something like this:

index=your_index
| rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update"
| timechart span=1d max(users_to_add) AS users_to_add

or something like this:

index=your_index
| rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update"
| bin span=1d _time
| stats max(users_to_delete) AS users_to_delete max(users_to_add) AS users_to_add max(users_to_update) AS users_to_update BY _time

Ciao.

Giuseppe

Reply
Solved! Jump to solution

darspla
Explorer
‎08-13-2021 12:17 AM

Thanks a lot @gcusello , that gave some vision. Modified in 2 other ways so fetched info needed. 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-13-2021 12:32 AM

Hi @darspla,

good for you, see next time.

If this answer solves your question, please, accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2021 12:06 AM

Hi @darspla,

you have to use a regex to extract the fields you need.

I could be more precise if you share two or three examples of your logs (in text format, not image),

Anyway try something like this:

| rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update"

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

darspla
Explorer
‎08-12-2021 12:22 AM

Hi @gcusello ,

Thanks for quick reply.


2021-08-12 7:17:34.338 AM 2021-08-12 07:17:34,338+0200 Caesium-1-1 INFO ServiceRunner [c.a.c.d.xxx.cache.xxx] scanned and compared [ 9506 ] users to delete, [ 0 ] users to add, [ 378 ] users to update in DB cache in [ 1166ms ]

2021-08-12 06:17:34,305+0200 Caesium-1-1 INFO ServiceRunner [c.a.c.d.xxx.cache.xxx] scanned and compared [ 9506 ] users to delete, [ 0 ] users to add, [ 125 ] users to update in DB cache in [ 1129ms ]

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2021 12:33 AM

Hi @darspla,

as you can see at https://regex101.com/r/hQylcj/1 the above regex is correct.

Ciao.

Giuseppe

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...