Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with rex regex to extract a field value for a chart?

mark_chuman
Path Finder
‎08-20-2014 10:34 AM

I have a search that will return the log entry below. The search is here:

< "Authentication succeeded for user [*] in tenant [vsphere.local] in [*] milliseconds" host=valuetonarowdownhost >

Text
Authentication succeeded for user [userid@domain] in tenant [vsphere.local] in [185] milliseconds

But I would like to create a rex value for any integer between the last brackets (here it's 185) and then create a chart for it. I'm trying to trend on how long it takes to authenticate a user. Been trying in vain to come up with an expression that works for me.

Any help appreciated!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

grijhwani
Motivator
‎08-20-2014 10:54 AM

The quickest solution to the problem would be to use the interactive field extractor tool. That will give you a rex pattern you can work with, although having generated the field extraction, you could just save it and use it by name.

The following might suit your needs:

| rex "^.*\[.*\[.*\[(?P<millisec>[0-9]+)"

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-20-2014 12:45 PM

Try something like this (for your followup question)

your base search | rex "^.*\[.*\[.*\[(?P<logon_time>[0-9]+)" | eval host="host_".host| timechart avg(logon_time) by host | addtotals fieldname=AllHosts host_* | rename host_* as *
0 Karma
Reply
Solved! Jump to solution

grijhwani
Motivator
‎08-21-2014 04:53 PM

Yes. You have to have some function to aggregate all results falling into the same time slot. Examples would be avg() or sum().

0 Karma
Reply
Solved! Jump to solution

mark_chuman
Path Finder
‎08-20-2014 01:31 PM

Thanks! Any reason why wouldn't be able to adjust this part - |timechart avg(logon_time) to | timechart (logon_time) - ie, you just want the raw data and not have it averaged.

0 Karma
Reply
Solved! Jump to solution
Solution

grijhwani
Motivator
‎08-20-2014 10:54 AM

The quickest solution to the problem would be to use the interactive field extractor tool. That will give you a rex pattern you can work with, although having generated the field extraction, you could just save it and use it by name.

The following might suit your needs:

| rex "^.*\[.*\[.*\[(?P<millisec>[0-9]+)"
Reply
Solved! Jump to solution

mark_chuman
Path Finder
‎08-20-2014 12:18 PM

Thank you, very powerful. It's working now, in that I'm able to chart out the average of that specific value (I'll call it logon_time) and I have a field now called logon_time. So, I'll have the search and then add on | timechart avg(logon_time). That gives me the daily average for that value over time using the logs from all the hosts. Any idea how I would expose the average for each host and have it overlap on the same chart? Also, I don't necessarily need the average, but just the raw value. I was trying something like | select time_logon | timechart count by host..

Reply
Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...