Splunk Search

How to edit my search to extract numeric values with rex and create a line chart?

sankarms
Explorer

I have thousands of log files that look like this

[27/Oct/2016:20:08:57 --0700] WBLBSdFyTFYAAHPuH1kAAAAM
Content-length: 0

The logs contain a: timestamp, unique request id, and length of the content. I want to make a line chart that shows the content-length on the y-axis and the request on the x-axis so you can see over a span of time, what were all the content-lengths received. I first tried to count the lengths with this search:

"Content-length: " | rex  (?<length>\d+) | stats count(length)

In English, I'm trying to say "you have 5 requests with a content length of 0, 10 requests with a content length of 5, etc etc". What am I doing wrong?

0 Karma
1 Solution

niketnilay
Legend

@Sankarms, slight change to your search, I think events are being counted by their length:

Your base search "Content-length: " | rex  field=_raw "Content-length:\s+(?<length>\d+)" | stats count by length
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

niketnilay
Legend

@Sankarms, slight change to your search, I think events are being counted by their length:

Your base search "Content-length: " | rex  field=_raw "Content-length:\s+(?<length>\d+)" | stats count by length
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

adamsaul
Communicator

Sankarms,

Here is an example you can paste directly into your Splunk search bar, to extract the length found and label it as 'length':

| makeresults | eval example="[27/Oct/2016:20:08:57 --0700] WBLBSdFyTFYAAHPuH1kAAAAM Content-length: 0" | rex field=example "Content-length:\s*(?<length>\d+)"

If the content above looks good, your search should be as follows:

"Content-length: " | rex field=_raw "Content-length:\s*(?<length>\d+)" | stats count(length)
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!