Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to extract the file type from my logs and get the count of successfully processed files by file type?

boddunan
Engager
‎04-19-2016 02:49 AM

Hi,

I am searching for some way to extract count of each file type which is successfully processed. The logs contain various levels of processing of file, but the final line contains status of the processing. I need to extract all such successful processed files and count how many successful files there are for each type. For example, below is my pattern in the log.

11:44:01,982 some other log here File: ../../../transfer/dir/path/**MYFILETYPE**.SOMEOTHERPATTEN.xml successfully imported.

So I need to extract all such lines and build a table with count of each file type. Can someone please help with what regex I need to use to get this?

0 Karma
Reply

somesoni2
Revered Legend
‎04-19-2016 09:18 AM

Give this a try

index=foo sourcetype=bar "successfully imported" | rex "File:\s+.*\/(?<filetype>\w+)\..*\ssuccessfully imported" | stats count by filetype
0 Karma
Reply

ktugwell_splunk
Splunk Employee
Splunk Employee
‎04-19-2016 07:36 AM

Hey boddunan,

First of all, I'd search for all data where "successfully imported." exists:

your base search... | search "successfully imported."

Then I'd add a regular expression like this:

| rex field=_raw "path\/(?<file_name>[A-Za-z0-9*%$]*\.\w+\.\w{2,4})"

You should then see a field in your data called "file_name". You should then be able to do this:

your base search... | search "successfully imported."| rex field=_raw "path\/(?<file_name>[A-Za-z0-9*%$]*\.\w+\.\w{2,4})" | stats count by file_name

Let me know how that goes, If you want to pull apart the regular expression and see how it works(or how you can debug it). Try www.regex101.com.

Copy the path\/(?<file_name>[A-Za-z0-9*%$]*\.\w+\.\w{2,4}) in the top input box and your data underneath. On the right hand side it'll show you how it works.

Thanks

Reply

sundareshr
Legend
‎04-19-2016 07:30 AM

This should work

index=* | rex "File:\s(?<filename>[^\s])\s(?<status>successfully)" | stats count by filename
0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...