Re: How to extract fields from my _raw data into e...

helpmejesus · ‎04-07-2016

I will try and explain my problem to the best of my ability. I am attempting to create a saved search from which I hope to make a pie graph which will display several different events. I am a Splunk newbie and my knowledge of proper search syntax is garbage. The means which I am using to find the events of interest is as follows (I know this is ugly):

index=someindex SomeKeyWord NOT thisword (someword1 OR someword2 OR someword3)

The reason I am searching like this is because I am searching for a particular action failing and it happens to break in like seven different ways, each way producing a log with a different string of words. I've spent three days trying to mess around with rex to try and extract key words from each one of these logs and create a tally of how many times each event occurs, but alas I am not skilled enough to make this work.

Here is an example of three distinct logs which are pulled from my search. I am trying to gather each log depending on the words it has and tally them into distinct categories. The way I am trying to do this is to have rex parse through each log and depending on which key word it finds in the log, push it into a group which I can organize into a table.

LOGS:

2016/04/07 13:52:34.503 I-100001 TCPCOM1 Storenumber 😘 TSEND D(230,105,,,1,16, 123490,31904812390,Sale_0000,,,,,*****************,21348972198,23984721,,,,*CEM_Swiped ,,238420,,,,,,,,,,,2390420,,,,some words 1**,,,,,,,,719482,,719482,English,04072016,105232,,207,BBCR1111,1,,702348729,,,,,,619,2134981200,,) N(6,F09034)
host = host1 source = source1 sourcetype = sourcetype1

2016/04/07 13:52:34.503 I-100001 TCPCOM1 Storenumber 😘 TSEND D(230,105,,,1,16, 123490,31904812390,Sale_0000,,,,,*****************,21348972198,23984721,,,,*CEM_Swiped ,,238420,,,,,,,,,,,2390420,,,,some words 2**,,,,,,,,719482,,719482,English,04072016,105232,,207,BBCR1111,1,,702348729,,,,,,619,2134981200,,) N(6,F09034)
host = host1 source = source1 sourcetype = sourcetype1

2016/04/07 13:52:34.503 I-100001 TCPCOM1 Storenumber 😘 TSEND D(230,105,,,1,16, 123490,31904812390,Sale_0000,,,,,*****************,21348972198,23984721,,,,*CEM_Swiped ,,238420,,,,,,,,,,,2390420,,,,some words 3**,,,,,,,,719482,,719482,English,04072016,105232,,207,BBCR1111,1,,702348729,,,,,,619,2134981200,,) N(6,F09034)
host = host1 source = source1 sourcetype = sourcetype1

The fields I care about are: store number, some words1, some words2, some words3, and date which the log occurred. Ultimately I want to have a pie chart which will depict how many times each type of log happened, what store it happened at, and when. I understand what a convoluted mess this is, but If someone could help me or steer me into the right direction with this I will actually cry tears of joy.

somesoni2 · ‎04-07-2016

Give this a try

index=someindex SomeKeyWord NOT thisword (someword1 OR someword2 OR someword3) 
| rex "^(\S+\s+){4)(?<Storenumber>\S+)\s+:" | eval Category=case(match(_raw,"someword1"),"category1",match(_raw,"someword2"),"category2",1=1,"category3") 
| table _time Storenumber Category

The 'eval - case' is matching the raw data againts the keywords and assigning a category to the events (in the field Category).

helpmejesus · ‎04-07-2016

Its not perfect but definitely helped me out. I will try and play with this tonight and Ill let you know how it goes. Thanks for the response!

helpmejesus · ‎04-08-2016

Dude thank you so much for the help, you really saved me. Worked like a charm after a but of tweaking

How to extract fields from my _raw data into events and sort them in a table?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!