Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to extract numeric values with rex and create a line chart?

sankarms
Explorer
‎12-05-2016 10:30 AM

I have thousands of log files that look like this

[27/Oct/2016:20:08:57 --0700] WBLBSdFyTFYAAHPuH1kAAAAM
Content-length: 0

The logs contain a: timestamp, unique request id, and length of the content. I want to make a line chart that shows the content-length on the y-axis and the request on the x-axis so you can see over a span of time, what were all the content-lengths received. I first tried to count the lengths with this search:

"Content-length: " | rex  (?<length>\d+) | stats count(length)

In English, I'm trying to say "you have 5 requests with a content length of 0, 10 requests with a content length of 5, etc etc". What am I doing wrong?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

niketn
Legend
‎12-05-2016 11:37 AM

@Sankarms, slight change to your search, I think events are being counted by their length:

Your base search "Content-length: " | rex  field=_raw "Content-length:\s+(?<length>\d+)" | stats count by length
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

niketn
Legend
‎12-05-2016 11:37 AM

@Sankarms, slight change to your search, I think events are being counted by their length:

Your base search "Content-length: " | rex  field=_raw "Content-length:\s+(?<length>\d+)" | stats count by length
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

adamsaul
Communicator
‎12-05-2016 11:06 AM

Sankarms,

Here is an example you can paste directly into your Splunk search bar, to extract the length found and label it as 'length':

| makeresults | eval example="[27/Oct/2016:20:08:57 --0700] WBLBSdFyTFYAAHPuH1kAAAAM Content-length: 0" | rex field=example "Content-length:\s*(?<length>\d+)"

If the content above looks good, your search should be as follows:

"Content-length: " | rex field=_raw "Content-length:\s*(?<length>\d+)" | stats count(length)
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...