I have logs in this format:
2016-06-27 21:35:50 (123456789467056149): string11 creating to String12: a1 3 a2 1 a3 -12 a4 12345678 2016-06-27 21:35:51 (987654321123033111): string21 creating to String22: a1 7 a2 11 a3 -36 a4 23456789
I want to create a search with results in the format:
a4 count(String12) count(String22) 12345678 7 5 23456789 1 3
Could anyone you help me create search?
can you explain the logic behind the search results you want? how did you get those final numbers based on the first set of numbers? are any of those fields already extracted in your data? Does each event in Splunk contain the timestamp and the a1-a4 lines?
Thank you for your interest in the topic 🙂
a4 shows 8 sign long digital string (in example was otherwise, I corrected it) - formated: a4\t12345678
Not all in logs looks the same, but for sought events are the same.
I'm searching how often in log for unique a4 can find different service names (in example was String12, String22, etc.) in the analyzed period.
It's more clearly?
Just create the extractions to create the fields you need
Your search | rex "creating to (?<service>[^\:]) | rex "a4\s+(?<a4>[\d]*) | chart count over service by a4
You can make the extractions also in you sourcetype definition on props.conf