Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Help with rex regex to extract a field value for a chart?

mark_chuman
Path Finder
‎08-20-2014 10:34 AM

I have a search that will return the log entry below. The search is here:

< "Authentication succeeded for user [*] in tenant [vsphere.local] in [*] milliseconds" host=valuetonarowdownhost >

Text
Authentication succeeded for user [userid@domain] in tenant [vsphere.local] in [185] milliseconds

But I would like to create a rex value for any integer between the last brackets (here it's 185) and then create a chart for it. I'm trying to trend on how long it takes to authenticate a user. Been trying in vain to come up with an expression that works for me.

Any help appreciated!

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

grijhwani
Motivator
‎08-20-2014 10:54 AM

The quickest solution to the problem would be to use the interactive field extractor tool. That will give you a rex pattern you can work with, although having generated the field extraction, you could just save it and use it by name.

The following might suit your needs:

| rex "^.*\[.*\[.*\[(?P<millisec>[0-9]+)"

View solution in original post

Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎08-20-2014 12:45 PM

Try something like this (for your followup question)

your base search | rex "^.*\[.*\[.*\[(?P<logon_time>[0-9]+)" | eval host="host_".host| timechart avg(logon_time) by host | addtotals fieldname=AllHosts host_* | rename host_* as *
0 Karma
Reply
Solved! Jump to solution

grijhwani
Motivator
‎08-21-2014 04:53 PM

Yes. You have to have some function to aggregate all results falling into the same time slot. Examples would be avg() or sum().

0 Karma
Reply
Solved! Jump to solution

mark_chuman
Path Finder
‎08-20-2014 01:31 PM

Thanks! Any reason why wouldn't be able to adjust this part - |timechart avg(logon_time) to | timechart (logon_time) - ie, you just want the raw data and not have it averaged.

0 Karma
Reply
Solved! Jump to solution
Solution

grijhwani
Motivator
‎08-20-2014 10:54 AM

The quickest solution to the problem would be to use the interactive field extractor tool. That will give you a rex pattern you can work with, although having generated the field extraction, you could just save it and use it by name.

The following might suit your needs:

| rex "^.*\[.*\[.*\[(?P<millisec>[0-9]+)"
Reply
Solved! Jump to solution

mark_chuman
Path Finder
‎08-20-2014 12:18 PM

Thank you, very powerful. It's working now, in that I'm able to chart out the average of that specific value (I'll call it logon_time) and I have a field now called logon_time. So, I'll have the search and then add on | timechart avg(logon_time). That gives me the daily average for that value over time using the logs from all the hosts. Any idea how I would expose the average for each host and have it overlap on the same chart? Also, I don't necessarily need the average, but just the raw value. I was trying something like | select time_logon | timechart count by host..

Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...