Solved: How to break events in this scenario

sarvan7777 · ‎05-02-2018

Here is a subset of my log file. This content appears for an App named App-1, but it just repeats in my log for around 12 Apps.

Scan **App-1** 
<blah blah>
<blah blah>
Start of Test
Table row count : 100
Messages in queue: 100
JMS Topics and row count in queue:
10   Topic1
17   Topic2
13   Topic3
20   Topic5
40   Topic5 
End of Test... 

Scan for Threshold...

WARNING -- Threshold Exceeded!

All I need is the table that has count and Topic1, Topic2 etc values as fields in Splunk

Count & Topic needs to be available as extracted fields in Splunk for the App-1 (App-1 is again an extracted field from this data set)

Any input is appreciated

woodcock · ‎05-02-2018

Like this:

... | rex "Scan \*\*(?<App>\S+)\*\*"
| rex max_match=0 "(?<Count>\d+)\s+(?<Topic>Topic\d+)"
| eval _raw=mvzip(Topic, Count, "=")
| kv

View solution in original post

FrankVl · ‎05-03-2018

I would be enclined to say: create a scripted input for this, that translates these files to a csv containing the desired data and then ingest that into splunk.

woodcock · ‎05-02-2018

Like this:

... | rex "Scan \*\*(?<App>\S+)\*\*"
| rex max_match=0 "(?<Count>\d+)\s+(?<Topic>Topic\d+)"
| eval _raw=mvzip(Topic, Count, "=")
| kv

How to break events in this scenario

Introducing the Splunk Community Dashboard Challenge!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...