Splunk Search
Highlighted

How I can create a search with more than one field from specific logs format?

New Member

Hello,

I have logs in this format:

2016-06-27 21:35:50 (123456789467056149): string11 creating to String12:
a1  3
a2  1
a3  -12
a4  12345678

2016-06-27 21:35:51 (987654321123033111): string21 creating to String22:
a1  7
a2  11
a3  -36
a4  23456789

I want to create a search with results in the format:

a4   count(String12)   count(String22)
12345678    7                5
23456789   1                 3 

Could anyone you help me create search?

0 Karma
Highlighted

Re: How I can create a search with more than one field from specific logs format?

Champion

can you explain the logic behind the search results you want? how did you get those final numbers based on the first set of numbers? are any of those fields already extracted in your data? Does each event in Splunk contain the timestamp and the a1-a4 lines?

0 Karma
Highlighted

Re: How I can create a search with more than one field from specific logs format?

New Member

Thank you for your interest in the topic 🙂

a4 shows 8 sign long digital string (in example was otherwise, I corrected it) - formated: a4\t12345678
Not all in logs looks the same, but for sought events are the same.
I'm searching how often in log for unique a4 can find different service names (in example was String12, String22, etc.) in the analyzed period.

It's more clearly?

0 Karma
Highlighted

Re: How I can create a search with more than one field from specific logs format?

Motivator

Just create the extractions to create the fields you need

Your search | rex "creating to (?<service>[^\:]) | rex "a4\s+(?<a4>[\d]*) | chart count over service by a4

You can make the extractions also in you sourcetype definition on props.conf

------------
Hope I was able to help you. If so, an upvote would be appreciated.
0 Karma