Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Field Extractor - extract digit from brackets

darspla
Explorer
‎08-11-2021 11:57 PM

Hi,
I would like to extract particular digit from brackets, index it as follows and based on that create stats hourly.
Each time is picking this up with bracket as a string.

This is service which is making entry every hour, once will recognize to add up will present digit , if not will be 0.
My goal would be to have stats from every hour on the graph to see how does it changes.

darspla_0-1628751294001.png

 

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-13-2021 12:32 AM

Hi @darspla,

good for you, see next time.

If this answer solves your question, please, accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

View solution in original post

0 Karma
Reply
Solved! Jump to solution

darspla
Explorer
‎08-12-2021 01:22 AM

Hi @gcusello ,
Yes, works very nicely. Would you have any idea how to retrieve stats daily from action like below when :
"[36972 ] users to update "

[ 9216 ] users to delete, [ 2 ] users to add, [ 36972 ] users to update in DB cache in [ 6847ms ]


Retrieve data when is higher than '100' ?
Bit concern which graph to choose to make it readable for many people.



0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2021 07:35 AM

Hi @darspla,

I don't know your logs and your requirements.

I suppose that you could have a time distribution day by day or hour by hour, it depends on how frequently you receive the above logs.

So, if e.e. you receive the above logs once in a day, you could run something like this:

index=your_index
| rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update"
| timechart span=1d max(users_to_add) AS users_to_add

or something like this:

index=your_index
| rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update"
| bin span=1d _time
| stats max(users_to_delete) AS users_to_delete max(users_to_add) AS users_to_add max(users_to_update) AS users_to_update BY _time

Ciao.

Giuseppe

Reply
Solved! Jump to solution

darspla
Explorer
‎08-13-2021 12:17 AM

Thanks a lot @gcusello , that gave some vision. Modified in 2 other ways so fetched info needed. 

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-13-2021 12:32 AM

Hi @darspla,

good for you, see next time.

If this answer solves your question, please, accept it for the other people of Community.

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2021 12:06 AM

Hi @darspla,

you have to use a regex to extract the fields you need.

I could be more precise if you share two or three examples of your logs (in text format, not image),

Anyway try something like this:

| rex "\[\s+(?<users_to_delete>\d+)\s+\] users to delete, \[\s+(?<users_to_add>\d+)\s+\] users to add, \[\s+(?<users_to_update>\d+)\s+\] users to update"

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

darspla
Explorer
‎08-12-2021 12:22 AM

Hi @gcusello ,

Thanks for quick reply.


2021-08-12 7:17:34.338 AM 2021-08-12 07:17:34,338+0200 Caesium-1-1 INFO ServiceRunner [c.a.c.d.xxx.cache.xxx] scanned and compared [ 9506 ] users to delete, [ 0 ] users to add, [ 378 ] users to update in DB cache in [ 1166ms ]

2021-08-12 06:17:34,305+0200 Caesium-1-1 INFO ServiceRunner [c.a.c.d.xxx.cache.xxx] scanned and compared [ 9506 ] users to delete, [ 0 ] users to add, [ 125 ] users to update in DB cache in [ 1129ms ]

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-12-2021 12:33 AM

Hi @darspla,

as you can see at https://regex101.com/r/hQylcj/1 the above regex is correct.

Ciao.

Giuseppe

Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...