Solved: How to get a log pattern count?

srinij · ‎10-19-2016

Hi,

I have a log pattern like this

requrl : serviceName: abcd key: xyz-abc-def header: http
requrl : serviceName: efgh key: abc-asd-sssd header: http
requrl : serviceName: 1234 key: abc-1234-sssd header: http

I would like to find the unique pattern on the above. The above pattern can be duplicated - like the first line can be multiple times.

For example, I would need a table which says

serviceName key

abcd xyz-abc-def
efgh abc-asd-sssd
1234 abc-1234-sssd

How would i do that? Can anyone help me here?

sundareshr · ‎10-19-2016

Assuming your data is indexed in splunk, you can use extract and dedup to get your desired results. Try this

base search | extract pairdelim=" " kvdelim=":" | table serviceName key | dedup serviceName key

View solution in original post

gokadroid · ‎10-19-2016

Try this if you want both the serviceName and the key:

base search | rex "requrl : serviceName:\s(?<serviceName>[^\s]+)\skey:\s(?<key>[^\s]+)" | stats count by serviceName, key | fields serviceName, key

sundareshr · ‎10-19-2016

Assuming your data is indexed in splunk, you can use extract and dedup to get your desired results. Try this

base search | extract pairdelim=" " kvdelim=":" | table serviceName key | dedup serviceName key

srinij · ‎10-19-2016

That didn't work for me for some reason but it was a good one that helped learn about it.

srinij · ‎10-19-2016

I figured out what I looking for in a different way. Here is my solution. I got the serviceName and the count by below search query

base search | rex "requrl : serviceName: (?<ServiceName>[^\s]+)" | stats count by ServiceName

inventsekar · ‎10-19-2016

Hi Srini.. please update us some more info..what is the unique pattern on this above log pattern..

thanks and best regards,
Sekar

PS - If this or any post helped you in any way, pls consider upvoting, thanks for reading !

srinij · ‎10-19-2016

Hi Sekar, I just updated the info!

srinij · ‎10-19-2016

Hi,

I have a log pattern like this

requrl : serviceName: **abcd** key: **xyz-abc-def** header: http
requrl : serviceName: **efgh** key: **abc-asd-sssd** header: http
requrl : serviceName: **1234** key: **abc-1234-sssd** header: http

The above log lines follow the pattern - requrl : serviceName: **** key: **** header: http
The bold items are values that changes.

I would like to find the unique pattern on the above. The above pattern can be duplicated - like the first line can be multiple times.

I would need a table which prints that serviceName and key. Also would like to ignore the duplicate entries.So, if the same line prints in the log multiple time, i would like to have only one entry in the table.

serviceName key

abcd xyz-abc-def
efgh abc-asd-sssd
1234 abc-1234-sssd

How would i do that? Can anyone help me here?

aaraneta_splunk · ‎10-19-2016

Hi @srinij - It looks like your post is missing information. You mention, "I would like to find the unique pattern like this" and nothing else is written. You will likely need to provide more information to the Answers community about what you would want your expected result to look like so that users can better help you. Thanks.

srinij · ‎10-19-2016

@aaraneta - I just added more information. sorry about that!

How to get a log pattern count?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...

AppDynamics is now part of Splunk Ideas

Advanced Splunk Data Management Strategies