Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to get a log pattern count?
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinij
Explorer
10-19-2016
09:27 AM
Hi,
I have a log pattern like this
requrl : serviceName: abcd key: xyz-abc-def header: http
requrl : serviceName: efgh key: abc-asd-sssd header: http
requrl : serviceName: 1234 key: abc-1234-sssd header: http
I would like to find the unique pattern on the above. The above pattern can be duplicated - like the first line can be multiple times.
For example, I would need a table which says
serviceName key
abcd xyz-abc-def
efgh abc-asd-sssd
1234 abc-1234-sssd
How would i do that? Can anyone help me here?
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-19-2016
10:16 AM
Assuming your data is indexed in splunk, you can use extract and dedup to get your desired results. Try this
base search | extract pairdelim=" " kvdelim=":" | table serviceName key | dedup serviceName key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gokadroid
Motivator
10-19-2016
06:20 PM
Try this if you want both the serviceName and the key:
base search | rex "requrl : serviceName:\s(?<serviceName>[^\s]+)\skey:\s(?<key>[^\s]+)" | stats count by serviceName, key | fields serviceName, key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sundareshr
Legend
10-19-2016
10:16 AM
Assuming your data is indexed in splunk, you can use extract and dedup to get your desired results. Try this
base search | extract pairdelim=" " kvdelim=":" | table serviceName key | dedup serviceName key
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinij
Explorer
10-19-2016
11:08 AM
That didn't work for me for some reason but it was a good one that helped learn about it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinij
Explorer
10-19-2016
11:09 AM
I figured out what I looking for in a different way. Here is my solution. I got the serviceName and the count by below search query
base search | rex "requrl : serviceName: (?<ServiceName>[^\s]+)" | stats count by ServiceName
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
inventsekar
SplunkTrust
10-19-2016
10:03 AM
Hi Srini.. please update us some more info..what is the unique pattern on this above log pattern..
thanks and best regards,
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
Sekar
PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinij
Explorer
10-19-2016
10:11 AM
Hi Sekar, I just updated the info!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinij
Explorer
10-19-2016
10:16 AM
Hi,
I have a log pattern like this
requrl : serviceName: **abcd** key: **xyz-abc-def** header: http
requrl : serviceName: **efgh** key: **abc-asd-sssd** header: http
requrl : serviceName: **1234** key: **abc-1234-sssd** header: http
The above log lines follow the pattern - requrl : serviceName: **** key: **** header: http
The bold items are values that changes.
I would like to find the unique pattern on the above. The above pattern can be duplicated - like the first line can be multiple times.
I would need a table which prints that serviceName and key. Also would like to ignore the duplicate entries.So, if the same line prints in the log multiple time, i would like to have only one entry in the table.
serviceName key
abcd xyz-abc-def
efgh abc-asd-sssd
1234 abc-1234-sssd
How would i do that? Can anyone help me here?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
aaraneta_splunk
Splunk Employee
10-19-2016
10:01 AM
Hi @srinij - It looks like your post is missing information. You mention, "I would like to find the unique pattern like this" and nothing else is written. You will likely need to provide more information to the Answers community about what you would want your expected result to look like so that users can better help you. Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
srinij
Explorer
10-19-2016
10:10 AM
@aaraneta - I just added more information. sorry about that!
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
