Splunk Search

How do you retrieve names in comments using regex?

ramesh12345
Explorer

Hi,

index="os" sourcetype="test"  CaseNumber=*| dedup _time,CaseNumber  | rex field=Notes "(?\d+-\d+-\d+\s*\d+:\d+:\d+)\s*\-\s*(?\w*\W*\w*\s*\w*\s*\(\d+\))\s*"

The above query displays the lastupdated user. But I want to display all names from the comments

EX:

2019-03-07 11:48:12 - one (1234513241) (Case Notes (Comments Visible )) data in not loading
2019-03-07 12:48:12 - two (2345132421) (Case Notes (Comments Visible)) error occured
2019-03-06 14:48:12 - three (3451324143) (Case Notes (Comments Visible)) testing
2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress
2019-03-06 17:48:12 - four (2416575443) (Case Notes (Comments Visible)) filter option
2019-03-06 18:48:12 - five (4154678765) (Case Notes (Comments Visible)) data loading

This is for one case. After date is names of the persons. So I want to display all names who commented for that case.

Ex:Casenumber is 1111

1111 one (1234513241) two (2345132421) three (3451324143) four (2416575443) five (4154678765) like this

How do I write the regular expression to do this?

Tags (3)
0 Karma
1 Solution

vnravikumar
Champion

Hi @ramesh12345

Try this

| makeresults 
| eval comments="2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress" 
| rex field=comments "\s-\s(?P<name>[\w]*\s\(\w*\))"

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@ramesh12345 ,

Based on your sample data , try

"your search"
| rex "-\s(?<Names>\w+\s\(\d+\))"
| stats values(Names) as Names by Casenumber 
| nomv Names 
0 Karma

ramesh12345
Explorer

Hi,
With you query i am getting names who worked on that particular case.But My requirement is to display single person completed cases.
Ex: Case:1 name: raju
Case:2 name:raju,ramu,rakesh
Case:3 name:ramu,rakesh,rahul,raju

so the requirement is single peron completed cases.

Here raju only worked on one case.so raju count is 1

In multiple cases he involved: raju count is 2

index="os" sourcetype="Service" CaseNumber=* status=* assignment=* |dedup _time,CaseNumber,assignment|streamstats current=f last(assignment) as lg, last(active) as Active by CaseNumber|lookup L1Team.csv SSO as assigned_to OUTPUT TeamName| eval is_escalated= if(assignment!=lg AND assignment_group="Sustaining",1,NULL) |eval is_resolved=if(assignment="Sustaining" AND status="Complete" AND (isnull(Active) OR Active="true"),1,NULL)|stats count(is_escalated) AS "Escalated Cases" count(is_resolved) AS "Resolved Cases" by assigned_to,TeamName| fields - TeamName

with this query iam getting only who closed this case.that number is assigned to that case.
i want to display like above what i explained.Please help how to do this

0 Karma

vnravikumar
Champion

Hi @ramesh12345

Try this

| makeresults 
| eval comments="2019-03-06 15:48:12 - one (5513241321) (Case Notes (Comments Visible)) case in progress" 
| rex field=comments "\s-\s(?P<name>[\w]*\s\(\w*\))"

View solution in original post

0 Karma