Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to add a column to a stats table using rex

harshparikhxlrd
Path Finder
‎10-31-2019 09:03 AM

I'm fairly new to splunk and have just learned how to use the rex/regex. I am trying to add a column in my string search to a statistics table to display the name of the workstation. This is my current string.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-31-2019 09:30 AM

Hi harshparikhxlrd
if the field you want i ComputerName, probably you already have because Splunk recognize by itself the pair field=value.
Anyway the regex to extract Computername is:

| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task"

that you can test at https://regex101.com/r/0n0rks/1

So your search will be (sorry I cannot rewrite your regex because I cannot see it, use Code Sample button to share regexes):

index=monitoring sourcetype=PEGA:WinEventLog:Application ( SourceName="RoboticLogging" OR SourceName="Application" ) ("Department=" "HRSS_STL") ("Type=" "Error") 
| rex "Message : (?.+.?)" 
| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task"
| stats count by ex 
| rename ex as Exception

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-31-2019 09:30 AM

Hi harshparikhxlrd
if the field you want i ComputerName, probably you already have because Splunk recognize by itself the pair field=value.
Anyway the regex to extract Computername is:

| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task"

that you can test at https://regex101.com/r/0n0rks/1

So your search will be (sorry I cannot rewrite your regex because I cannot see it, use Code Sample button to share regexes):

index=monitoring sourcetype=PEGA:WinEventLog:Application ( SourceName="RoboticLogging" OR SourceName="Application" ) ("Department=" "HRSS_STL") ("Type=" "Error") 
| rex "Message : (?.+.?)" 
| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task"
| stats count by ex 
| rename ex as Exception

Ciao.
Giuseppe

Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎11-04-2019 12:07 AM

Hi harshparikhxlrd,
Try now:

index=monitoring sourcetype=PEGA:WinEventLog:Application ( SourceName="RoboticLogging" OR SourceName="Application" ) ("Department=" "HRSS_STL") ("Type=" "Error") 
| rex "(?ms)ComputerName\=(?<Computername>[^ ]*)Task.*Message\=(?<Message>.*)"
| stats stats values(Message) As Message values(Computername) AS Computername count by ex 
| rename ex as Exception

That you can test at https://regex101.com/r/0n0rks/2 .

Ciao.
Giuseppe

0 Karma
Reply
Solved! Jump to solution

harshparikhxlrd
Path Finder
‎10-31-2019 09:06 AM

Adding to previous post:

Message=

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...