Splunk Search

How to create a new field from a dynamic interesting field?

lyanwoah
New Member

Hi,

I'm trying to do a dashbord with data from dynaTrace alerting (by SplunkAlert plugin).
Goal of this report is to display the number of alerts by application or/and by jvm.
However, information of app or jvm isn't available in a specific field.
I have to read a field name dtIncidentViolation.* to find out which application is involved in the alert.
I can't modify the alert, so I have to get by Splunk.
I would like create two new fields which parse some fields named dtIncidentViolation.* to retrieve in one field the JVM and in another field, the app.
Do you have any idea how to make it?
Just to be precise, I can't use just one regex to retrieve these information because they aren't necessarily in the same place in the name of the field.

I tried to make this using the rex command, but it didn't work. The following command will show you the field on which I want to extract information on app and jvm.

index=dynatrace sourcetype=alert | table dtIncidentViolations.* | transpose | table column
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Here's a regex string that will extract app and JVM names from your sample data. It assumes app names are always followed by either '{' or ' (' and the JVM name is within parens.

 (?P<app>\w+)(?:\{| \((?<JVM>[\w_@\.]+))
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here's a regex string that will extract app and JVM names from your sample data. It assumes app names are always followed by either '{' or ' (' and the JVM name is within parens.

 (?P<app>\w+)(?:\{| \((?<JVM>[\w_@\.]+))
---
If this reply helps you, Karma would be appreciated.
0 Karma

lyanwoah
New Member

Great! It works for 80% of my alerts.

index=dynatrace sourcetype=alert | table dtIncidentViolations.* | transpose | table column | rex field=column "(?P\w+)(?:\{| \((?[\w_@\.]+))"

Is it possible to make fields APP and JVM two new interesting fields ?
It will be more easy to use it because my search will look like that and won't be easy to modify :

index = dynatrace sourcetype = alert ( MAE ) OR ( FILIP ) OR ( GAEL ) OR ( BOUTIQUESVIR ) OR ( APOGEE ) OR ( NEWAUTO ) | table dtIncidentName dtIncidentViolations.* | transpose 500 column_name="Appli" header_field=dtIncidentName include_empty=false | rex field=Appli "(?P\w+)(?:\{| \((?[\w_@\.]+))" | stats count("Failure rate too high") as "Taux d'erreur", count("Average response time degraded") as "Tps réponse dégradé",count("Application Process Unavailable (unexpected)") as "Perte connectivité JVM",count("Application Process Out-of-Memory") as "Out-of-Memory" by APP
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share some sample data.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lyanwoah
New Member

Result of this search is :

dtIncidentViolations.Application Response Time - DB Time [] BOUTIQUESVIR{}
dtIncidentViolations.Application Response Time - PurePath Response Time [] Icone{}
dtIncidentViolations.Application Response Time - PurePath Response Time [] Maestro{}
dtIncidentViolations.Application Response Time - Time [] BOUTIQUESVIR{}
dtIncidentViolations.Application Response Time - Time [] FILENET{}
dtIncidentViolations.BV - ouvrirSession BOUTIQUESVIR{}
dtIncidentViolations.Failed Transaction Count BOUTIQUESVIR (b2b2c_pr02@...){}
dtIncidentViolations.Failed Transaction Count Epj (epjgds_pr02@...){}
dtIncidentViolations.Failed Transaction Count Gael (gaelsv_pr01@...){}
dtIncidentViolations.Failed Transaction Count Gael (gaelsv_pr03@...){}
dtIncidentViolations.Failed Transaction Count Gael (gaelsv_pr04@...){}
dtIncidentViolations.Failed Transaction Count Gb2000 (gb2k_pr01@...){}
dtIncidentViolations.Failed Transaction Count Lea (leacoll_pr02@...){}
dtIncidentViolations.Failed Transaction Count Rce (refcli_pr02@...){}
dtIncidentViolations.Failed Transaction Count Trajectoire (trajec_pr02@...){}
dtIncidentViolations.Failed Transaction Count of Application Response Time [] BOUTIQUESVIR{}
dtIncidentViolations.Failed Transaction Count of Application Response Time [] Gael{}
dtIncidentViolations.Failed Transaction Count of Application Response Time [] Gb2000{}
dtIncidentViolations.Failed Transaction Count of VL2-ResponseTime BOUTIQUESVIR{}
dtIncidentViolations.Failed Transaction Count of VL2-ResponseTime Gael{}
dtIncidentViolations.Failed Transaction Count of VL2-ResponseTime Gb2000{}
dtIncidentViolations.Failed Transaction Count of Web Page Requests [<...>] ELISAWEB (elisa_pr01@...){}
...

I would like add a rex command to put for example BOUTIQUESVIR in a field app and b2b2c_pr02 in a field JVM. The main issue is that I have more than 300 fields named dtIncidentViolations.* and information on app and JVM are not in the same place...

0 Karma
Get Updates on the Splunk Community!

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...