Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to group messages based on substring

chimuru84
Explorer
‎08-18-2023 12:50 AM

Hello community. I'm trying to extract information from a string type field and make a graph on a dashboard. In the graph, I want to group identical messages. I encounter difficulties when grouping a type of message that contains information about an id, which is different for each message and respectively for each message it returns a separate value. Ex. message: {"status":"SUCCESS","id":"123456789"}. I use this query:

"source" originalField AND ("SUCCESS" OR "FAILURE") | stats count by originalField

This query groups my fields that contain a FAILURE status, but does not group the SUCCESS ones because they have different IDs. I tried different substrings but it doesn't work. Can someone give me a solution?

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 02:07 AM

Replace the id in original field with another string

"source" originalField AND ("SUCCESS" OR "FAILURE") 
| rex mode=sed field=originalField "s/SUCCESS\",\"id\":\"[^\"]+\"/SUCCESS\",\"id\":\"id\"/g"
| stats count by originalField

View solution in original post

0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎08-18-2023 01:56 AM

1.jpg

After I use this query, I have a result like this. For different reasons for status failure, I have grouped messages, but for status success, every message is separate because of his Id.  And the result looks like a JSON but is type String.

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 02:07 AM

Replace the id in original field with another string

"source" originalField AND ("SUCCESS" OR "FAILURE") 
| rex mode=sed field=originalField "s/SUCCESS\",\"id\":\"[^\"]+\"/SUCCESS\",\"id\":\"id\"/g"
| stats count by originalField
0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎08-18-2023 07:26 AM

It works. Thank you. Now I saw that I have one more kind of success message. How can I group this message too?  

2.jpg

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 07:30 AM 
"source" originalField AND ("SUCCESS" OR "FAILURE") 
| rex mode=sed field=originalField "s/SUCCESS\",\"(id|detailedReason)\":\"[^\"]+\"/SUCCESS\"/g"
| stats count by originalField
0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎08-18-2023 07:36 AM

with this query messages with success are not grouped. I want to have one group with success and another with success/detailedReason. Is possible that? Thank You

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 07:44 AM

Because you have hidden what your event looks like, it is difficult for me to define a solution that works for you. Please share some sample events, with just the most sensitive parts obscured.

0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎08-18-2023 07:47 AM

 This is how 2 success messages looks like. And I want to make 2 groups. For first, 1 query works fine, for second need to add to this query something. Thanks you.

3.jpg

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 08:33 AM 
"source" originalField AND ("SUCCESS" OR "FAILURE") 
| rex mode=sed field=originalField "s/SUCCESS\",\"accountId\":\"[^\"]+\"/SUCCESS\",\"accountId\":\"accountId\"/g"
| rex mode=sed field=originalField "s/SUCCESS\",\"detailedReason\":\"[^\"]+\",\"accountId\":\"[^\"]+\"/SUCCESS\",\"detailedReason\":\"detailedReason\",\"accountId\":\"accountId\"/g"
| stats count by originalField
0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎08-18-2023 08:37 AM

Thanks a lot!! Everything woks fine!

0 Karma
Reply
Solved! Jump to solution

yuanliu
SplunkTrust
SplunkTrust
‎08-18-2023 01:38 AM

Let me help you format the question so others can easily read

@chimuru84 wrote:

Hello community. I'm trying to extract information from a string type field and make a graph on a dashboard. In the graph, I want to group identical messages. I encounter difficulties when grouping a type of message that contains information about an id, which is different for each message and respectively for each message it returns a separate value. Ex. message: {"status":"SUCCESS","id":"123456789"}. I use this query:

"source" originalField AND ("SUCCESS" OR "FAILURE") | stats count by originalField

This query groups my fields that contain a FAILURE status, but does not group the SUCCESS ones because they have different IDs. I tried different substrings but it doesn't work. Can someone give me a solution?

The description is very unclear.  What is the relationship between "originalField" and SUCCESS or FAILURE, or with the groupby you desired?  If you group by originalField, you get a breakdown by originalField.  There can be no other outcome.  Can you exemplify some events that your search returns, and show the stats result, then explain why that result is not what you need?  Maybe illustrate your desired result with that sample dataset.

0 Karma
Reply
Solved! Jump to solution

chimuru84
Explorer
‎11-14-2023 01:57 AM

Sorry for late answer. By "\"source\" originalField" I mean field which contains  this kind of logs

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-18-2023 01:33 AM

Please can you share some anonymised versions of your events as it is unclear what originalField refers to nor whether you already have extracted the JSON fields

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...