Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I cut a string after a certain text and cou...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is my current search in Jboss Logs:
index=jboss_app CLASS="foo.bar.bas.classname" MESSAGE="Error doing the thing bob wants to do" OR MESSAGE="Error doing the thing joe wants to do"|stats count by MESSAGE |sort - count
Results show
Error doing the thing for **bob** :user1@company.com AccountNumber01: 4920406079372 13
Error doing the thing for **bob** :user2@company.com AccountNumber01: 4079379507040 12
Error doing the thing for **joe** :user3@company.com AccountNumber01: 1040683729965 11
Error doing the thing for **joe** :user4@company.com AccountNumber01: 60284967030205 10
The results I want are to simply count how many results show "Error doing the thing for bob" and "Error doing the thing for joe" and list it as such. Just need to count how many for each.
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@iambobwall,
There are multiple ways to do using regex.
If you want "everything" before the "text", then try
|rex field=MESSAGE "(?P<MY_MESSAGE>^(.*?))bob" -- Result : Error doing the thing
^(.*?) will match everything until it finds the text bob. This could be used if you have a common string (e.g. bob) in every line. You could also use ":" to include bob also part of the string.
|rex field=MESSAGE "(?P<MY_MESSAGE>^(.*?)):" -- Result : Error doing the thing bob
OR
Use below to search for first 6 words literally if the error message's format is same.
|rex field=MESSAGE "(?P<MY_MESSAGE>(\w+\s){6})" -- Result : Error doing the thing for bob
Try and let's know if you need any changes to these
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@iambobwall,
There are multiple ways to do using regex.
If you want "everything" before the "text", then try
|rex field=MESSAGE "(?P<MY_MESSAGE>^(.*?))bob" -- Result : Error doing the thing
^(.*?) will match everything until it finds the text bob. This could be used if you have a common string (e.g. bob) in every line. You could also use ":" to include bob also part of the string.
|rex field=MESSAGE "(?P<MY_MESSAGE>^(.*?)):" -- Result : Error doing the thing bob
OR
Use below to search for first 6 words literally if the error message's format is same.
|rex field=MESSAGE "(?P<MY_MESSAGE>(\w+\s){6})" -- Result : Error doing the thing for bob
Try and let's know if you need any changes to these
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I tried the "rex" option and it worked like a charm. Thank you!
|rex field=MESSAGE "(?P <\MULTI_SINGLE>\ (\w+\s){11})"|stats count by MULTI_SINGLE|sort - count
Gives me exactly the format and information I am looking for.
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Announcing Modern Navigation: A New Era of Splunk User Experience
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
