Splunk Search

How to create a new field from a dynamic interesting field?

lyanwoah
New Member

Hi,

I'm trying to do a dashbord with data from dynaTrace alerting (by SplunkAlert plugin).
Goal of this report is to display the number of alerts by application or/and by jvm.
However, information of app or jvm isn't available in a specific field.
I have to read a field name dtIncidentViolation.* to find out which application is involved in the alert.
I can't modify the alert, so I have to get by Splunk.
I would like create two new fields which parse some fields named dtIncidentViolation.* to retrieve in one field the JVM and in another field, the app.
Do you have any idea how to make it?
Just to be precise, I can't use just one regex to retrieve these information because they aren't necessarily in the same place in the name of the field.

I tried to make this using the rex command, but it didn't work. The following command will show you the field on which I want to extract information on app and jvm.

index=dynatrace sourcetype=alert | table dtIncidentViolations.* | transpose | table column
0 Karma
1 Solution

richgalloway
SplunkTrust
SplunkTrust

Here's a regex string that will extract app and JVM names from your sample data. It assumes app names are always followed by either '{' or ' (' and the JVM name is within parens.

 (?P<app>\w+)(?:\{| \((?<JVM>[\w_@\.]+))
---
If this reply helps you, Karma would be appreciated.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here's a regex string that will extract app and JVM names from your sample data. It assumes app names are always followed by either '{' or ' (' and the JVM name is within parens.

 (?P<app>\w+)(?:\{| \((?<JVM>[\w_@\.]+))
---
If this reply helps you, Karma would be appreciated.
0 Karma

lyanwoah
New Member

Great! It works for 80% of my alerts.

index=dynatrace sourcetype=alert | table dtIncidentViolations.* | transpose | table column | rex field=column "(?P\w+)(?:\{| \((?[\w_@\.]+))"

Is it possible to make fields APP and JVM two new interesting fields ?
It will be more easy to use it because my search will look like that and won't be easy to modify :

index = dynatrace sourcetype = alert ( MAE ) OR ( FILIP ) OR ( GAEL ) OR ( BOUTIQUESVIR ) OR ( APOGEE ) OR ( NEWAUTO ) | table dtIncidentName dtIncidentViolations.* | transpose 500 column_name="Appli" header_field=dtIncidentName include_empty=false | rex field=Appli "(?P\w+)(?:\{| \((?[\w_@\.]+))" | stats count("Failure rate too high") as "Taux d'erreur", count("Average response time degraded") as "Tps réponse dégradé",count("Application Process Unavailable (unexpected)") as "Perte connectivité JVM",count("Application Process Out-of-Memory") as "Out-of-Memory" by APP
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Please share some sample data.

---
If this reply helps you, Karma would be appreciated.
0 Karma

lyanwoah
New Member

Result of this search is :

dtIncidentViolations.Application Response Time - DB Time [] BOUTIQUESVIR{}
dtIncidentViolations.Application Response Time - PurePath Response Time [] Icone{}
dtIncidentViolations.Application Response Time - PurePath Response Time [] Maestro{}
dtIncidentViolations.Application Response Time - Time [] BOUTIQUESVIR{}
dtIncidentViolations.Application Response Time - Time [] FILENET{}
dtIncidentViolations.BV - ouvrirSession BOUTIQUESVIR{}
dtIncidentViolations.Failed Transaction Count BOUTIQUESVIR (b2b2c_pr02@...){}
dtIncidentViolations.Failed Transaction Count Epj (epjgds_pr02@...){}
dtIncidentViolations.Failed Transaction Count Gael (gaelsv_pr01@...){}
dtIncidentViolations.Failed Transaction Count Gael (gaelsv_pr03@...){}
dtIncidentViolations.Failed Transaction Count Gael (gaelsv_pr04@...){}
dtIncidentViolations.Failed Transaction Count Gb2000 (gb2k_pr01@...){}
dtIncidentViolations.Failed Transaction Count Lea (leacoll_pr02@...){}
dtIncidentViolations.Failed Transaction Count Rce (refcli_pr02@...){}
dtIncidentViolations.Failed Transaction Count Trajectoire (trajec_pr02@...){}
dtIncidentViolations.Failed Transaction Count of Application Response Time [] BOUTIQUESVIR{}
dtIncidentViolations.Failed Transaction Count of Application Response Time [] Gael{}
dtIncidentViolations.Failed Transaction Count of Application Response Time [] Gb2000{}
dtIncidentViolations.Failed Transaction Count of VL2-ResponseTime BOUTIQUESVIR{}
dtIncidentViolations.Failed Transaction Count of VL2-ResponseTime Gael{}
dtIncidentViolations.Failed Transaction Count of VL2-ResponseTime Gb2000{}
dtIncidentViolations.Failed Transaction Count of Web Page Requests [<...>] ELISAWEB (elisa_pr01@...){}
...

I would like add a rex command to put for example BOUTIQUESVIR in a field app and b2b2c_pr02 in a field JVM. The main issue is that I have more than 300 fields named dtIncidentViolations.* and information on app and JVM are not in the same place...

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...