Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Join the Conversation
Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to extract the profile from the log?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yograjpatel
New Member
01-25-2018
01:51 PM
INFO Decrypted user token received as header:
{"phoneNumber":"888888888","firstName":"Alan ","lastName":"Mmm","email":"alan@mmmcom","id":"658336","guid":"f07286ef-d3ea-4319-ac45-39596354ce95","userType":"PROFILE_OWNER","profileId":"480783","profileGuid":"14d9b3a5-9350-435b-8f45-fe4556f465b7","profileName":"KARATE EAT NOW","profileOwnerPhoneNumber":"8585181878","profileOwnerFirstName":"Alan ","profileOwnerLastName":"Mmm","profileOwnerEmail":"alan@mmm.com","profileOwnerId":"658336"}
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
01-25-2018
02:30 PM
If your trying to do this at search time your syntax is not quite correct.
try this:
...|rex field=_raw "profileId\":\"(?<profileId>\d+)\""|table profileId
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nickhills
Ultra Champion
01-25-2018
02:30 PM
If your trying to do this at search time your syntax is not quite correct.
try this:
...|rex field=_raw "profileId\":\"(?<profileId>\d+)\""|table profileId
If my comment helps, please give it a thumbs up!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yograjpatel
New Member
01-25-2018
07:32 PM
is there a way to sort the count by month in ascending order.. like Nov, Dec, Jan.
I'm trying this but the data is not in order
INFO Decrypted user token received as header" "profileId" | eval Month=strftime(_time,"%b") | rex field=_raw "profileId\":\"(?\d+)\""|dedup profileId | stats count(profileId) by Month | sort -_time
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yograjpatel
New Member
01-26-2018
08:24 AM
How Can i Extract the user "pmcmurchy@com.net" from the log?
INFO User [pmcmurchy@com.net] successfully logged into Myaccount Portal on :Fri Jan 26 09:37:53 EST 2018
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-25-2018
07:40 PM
try this
INFO Decrypted user token received as header" "profileId" | eval month=strftime(_time,"%m") | rex field=_raw "profileId\":\"(?<profileId>\d+)\"" | dedup profileId | stats count(profileId) by month date_month| sort month | fields- month
let me know if this helps!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yograjpatel
New Member
01-25-2018
07:50 PM
No it didnt help me
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yograjpatel
New Member
01-25-2018
07:57 PM
If I search for last 6 months its showing the chart like this...
Jan, July, Aug, Sep, Oct, Nov, Dec
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
mayurr98
Super Champion
01-25-2018
08:08 PM
then try this
INFO Decrypted user token received as header" "profileId" | eval month=strftime(_time,"%m") | rex field=_raw "profileId\":\"(?<profileId>\d+)\"" | dedup profileId | stats count(profileId) by date_year date_month month | sort date_year month | fields- date_year month
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yograjpatel
New Member
01-26-2018
06:14 AM
thanks Mayur... this worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yograjpatel
New Member
01-25-2018
02:08 PM
have tried the below but the unique values are not extracting.
" INFO Decrypted user token received as header" "profileId" | rex ":\s+(?\d+)\s+\/"
rex "\"profileId\"\s:\s\"(?P\d+)\""
just getting the total count.
Got questions? Get answers!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Meet up IRL or virtually!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Get Updates on the Splunk Community!
Announcing Modern Navigation: A New Era of Splunk User Experience
We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...
