Splunk Search

Help with rex regex to extract a field value for a chart?

mark_chuman
Path Finder

I have a search that will return the log entry below. The search is here:

< "Authentication succeeded for user [*] in tenant [vsphere.local] in [*] milliseconds" host=valuetonarowdownhost >

Text
Authentication succeeded for user [userid@domain] in tenant [vsphere.local] in [185] milliseconds

But I would like to create a rex value for any integer between the last brackets (here it's 185) and then create a chart for it. I'm trying to trend on how long it takes to authenticate a user. Been trying in vain to come up with an expression that works for me.

Any help appreciated!

Tags (3)
0 Karma
1 Solution

grijhwani
Motivator

The quickest solution to the problem would be to use the interactive field extractor tool. That will give you a rex pattern you can work with, although having generated the field extraction, you could just save it and use it by name.

The following might suit your needs:

| rex "^.*\[.*\[.*\[(?P<millisec>[0-9]+)"

View solution in original post

somesoni2
Revered Legend

Try something like this (for your followup question)

your base search | rex "^.*\[.*\[.*\[(?P<logon_time>[0-9]+)" | eval host="host_".host| timechart avg(logon_time) by host | addtotals fieldname=AllHosts host_* | rename host_* as *
0 Karma

grijhwani
Motivator

Yes. You have to have some function to aggregate all results falling into the same time slot. Examples would be avg() or sum().

0 Karma

mark_chuman
Path Finder

Thanks! Any reason why wouldn't be able to adjust this part - |timechart avg(logon_time) to | timechart (logon_time) - ie, you just want the raw data and not have it averaged.

0 Karma

grijhwani
Motivator

The quickest solution to the problem would be to use the interactive field extractor tool. That will give you a rex pattern you can work with, although having generated the field extraction, you could just save it and use it by name.

The following might suit your needs:

| rex "^.*\[.*\[.*\[(?P<millisec>[0-9]+)"

mark_chuman
Path Finder

Thank you, very powerful. It's working now, in that I'm able to chart out the average of that specific value (I'll call it logon_time) and I have a field now called logon_time. So, I'll have the search and then add on | timechart avg(logon_time). That gives me the daily average for that value over time using the logs from all the hosts. Any idea how I would expose the average for each host and have it overlap on the same chart? Also, I don't necessarily need the average, but just the raw value. I was trying something like | select time_logon | timechart count by host..

Get Updates on the Splunk Community!

Monitoring MariaDB and MySQL

In a previous post, we explored monitoring PostgreSQL and general best practices around which metrics to ...

Financial Services Industry Use Cases, ITSI Best Practices, and More New Articles ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Splunk Federated Analytics for Amazon Security Lake

Thursday, November 21, 2024  |  11AM PT / 2PM ET Register Now Join our session to see the technical ...