Splunk Search

How to get a log pattern count?

srinij
Explorer

Hi,

I have a log pattern like this

requrl : serviceName: abcd key: xyz-abc-def header: http
requrl : serviceName: efgh key: abc-asd-sssd header: http
requrl : serviceName: 1234 key: abc-1234-sssd header: http

I would like to find the unique pattern on the above. The above pattern can be duplicated - like the first line can be multiple times.

For example, I would need a table which says

serviceName key

abcd xyz-abc-def
efgh abc-asd-sssd
1234 abc-1234-sssd

How would i do that? Can anyone help me here?

Tags (3)
0 Karma
1 Solution

sundareshr
Legend

Assuming your data is indexed in splunk, you can use extract and dedup to get your desired results. Try this

base search | extract pairdelim=" " kvdelim=":" | table serviceName key | dedup serviceName key

View solution in original post

0 Karma

gokadroid
Motivator

Try this if you want both the serviceName and the key:

base search | rex "requrl : serviceName:\s(?<serviceName>[^\s]+)\skey:\s(?<key>[^\s]+)" | stats count by serviceName, key | fields serviceName, key
0 Karma

sundareshr
Legend

Assuming your data is indexed in splunk, you can use extract and dedup to get your desired results. Try this

base search | extract pairdelim=" " kvdelim=":" | table serviceName key | dedup serviceName key
0 Karma

srinij
Explorer

That didn't work for me for some reason but it was a good one that helped learn about it.

0 Karma

srinij
Explorer

I figured out what I looking for in a different way. Here is my solution. I got the serviceName and the count by below search query

base search | rex "requrl : serviceName: (?<ServiceName>[^\s]+)" | stats count by ServiceName

inventsekar
Ultra Champion

Hi Srini.. please update us some more info..what is the unique pattern on this above log pattern..

0 Karma

srinij
Explorer

Hi Sekar, I just updated the info!

0 Karma

srinij
Explorer

Hi,

I have a log pattern like this

requrl : serviceName: **abcd** key: **xyz-abc-def** header: http
requrl : serviceName: **efgh** key: **abc-asd-sssd** header: http
requrl : serviceName: **1234** key: **abc-1234-sssd** header: http

The above log lines follow the pattern - requrl : serviceName: **** key: **** header: http
The bold items are values that changes.

I would like to find the unique pattern on the above. The above pattern can be duplicated - like the first line can be multiple times.

I would need a table which prints that serviceName and key. Also would like to ignore the duplicate entries.So, if the same line prints in the log multiple time, i would like to have only one entry in the table.

serviceName key

abcd xyz-abc-def
efgh abc-asd-sssd
1234 abc-1234-sssd

How would i do that? Can anyone help me here?

0 Karma

aaraneta_splunk
Splunk Employee
Splunk Employee

Hi @srinij - It looks like your post is missing information. You mention, "I would like to find the unique pattern like this" and nothing else is written. You will likely need to provide more information to the Answers community about what you would want your expected result to look like so that users can better help you. Thanks.

0 Karma

srinij
Explorer

@aaraneta - I just added more information. sorry about that!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

Splunk is officially part of Cisco

Revolutionizing how our customers build resilience across their entire digital footprint.   Splunk ...

Splunk APM & RUM | Planned Maintenance March 26 - March 28, 2024

There will be planned maintenance for Splunk APM and RUM between March 26, 2024 and March 28, 2024 as ...