Help with Regex for raw data to create pie chart?

gemtm · ‎04-05-2023

I need some help to create a pie chart of songs using this raw data. The command I'm using is this:

|rex (?<track>(?<=title=)"(.*?)".*$) |stats count by track

This isn't showing a count of the songs, can anyone help me out to get this to work? Regex101 shows the regex as working to extract the song titles. Splunk does not give an error but the stats/viz panels show nothing.

Example of raw log below.

{ mediaId="NowPlayingId39" title="On The Ground" artist="ROSÉ" album="" duration=0 trackPosition=39/50 image=null }
{ mediaId="NowPlayingId40" title="Rollercoaster" artist="Bleachers" album="" duration=0 trackPosition=40/50 image=null }
{ mediaId="NowPlayingId41" title="Ghost of You" artist="Mimi Webb" album="" duration=0 trackPosition=41/50 image=null }

woodcock · ‎04-05-2023

Like this:

| makeresults 
| eval raw="{ mediaId=\"NowPlayingId39\" title=\"On The Ground\" artist=\"ROSÉ\" album=\"\" duration=0 trackPosition=39/50 image=null } { mediaId=\"NowPlayingId40\" title=\"Rollercoaster\" artist=\"Bleachers\" album=\"\" duration=0 trackPosition=40/50 image=null } { mediaId=\"NowPlayingId41\" title=\"Ghost of You\" artist=\"Mimi Webb\" album=\"\" duration=0 trackPosition=41/50 image=null }" 
| makemv tokenizer="({[^}]+})" raw
| mvexpand raw
| rename raw AS _raw
| kv
| stats count BY title
| rename title AS track

gcusello · ‎04-05-2023

Hi @gemtm,

let me understand: when you say stats count By track, track is the "trackPosition"?

if yes you shouldn't need to extract the field because automatically Splunk extract fields when it encounters a pair"field=value".

if not, please describe whwt you mean for track.

Then, your logs seem to be in json format, did you tried using the "spath" command to extract fields?

Ciao.

Giuseppe

gemtm · ‎04-05-2023

I was trying to create a field name of "track" for the value I am trying to extract with the regex. I appreciate this may be an incorrect way to do it, as I do not usually use SPL.

I've not seen the spath command, I'll take a look at this next.

Thank you!

gcusello · ‎04-05-2023

Hi @gemtm,

what do you mean with track all the row or one of the fields?

please highligh in bold the "track" content

{ mediaId="NowPlayingId39" title="On The Ground" artist="ROSÉ" album="" duration=0 trackPosition=39/50 image=null }

Ciao.

Giuseppe

gemtm · ‎04-05-2023

{ mediaId="NowPlayingId39" title="On The Ground" artist="ROSÉ" album="" duration=0 trackPosition=39/50 image=null }

gcusello · ‎04-05-2023

Hi @gemtm,

you should already have the extraction of the field track with the fieldname "title, so you have only to rename it:

index=your_index
| rename title AS track
| stats count BY track

if you haven't you could try:

index=your_index
| rex "title\=\"(?<track>[^\"]+)"
| stats count BY track

Ciao.

Giuseppe

gemtm · ‎04-05-2023

I think the issue may be bigger than I expected, as the field "title" only picked out one song title from the list.

Thank you regardless!

gcusello · ‎04-05-2023

Hi @gemtm ,

if one answer solves your need, please accept one answer for the other people of Community or tell me how I can help you.

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated 😉

Help with Regex for raw data to create pie chart?

field extraction

regex

rex

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!