Hello,
I am a trying to implement Serial Number decoding in Splunk in anyway possible.
For eg. I have 100 test units each with a Serial Number like ABCDEF001. There is a significance for each and every letter of the Serial Number.
A - year
B - month
C - day
D - type of unit
E - config type
F - plant type
001 - running number for serial number
I already have Dashboards that do timecharts based on the whole Serial Number - like say Data transmission times for each and every unit.
Now need to take it further, by decoding each & every character of the Serial Number. So the final analysis will be like these units manufactured in say year 2012 in the between 10 and 20 of month of January with this particular config exhibit these typical Data transmission times.
I am familiar with lookups and have them implemented. I searched around briefly and did not get a reliable solution to implement this Serial Number decoder.
I will try out the solutions recommended here and provide feedback.
Please help.
Thanks,
Abhi
You say they're literal characters and that you can probably make the lookups to turn them into brilliance. I think the piece you're missing is using rex to rip out little bits of it into fields.
So, to take a string like you provided, ABCDEF001 and make it into fields like you asked;
A - year
B - month
C - day
D - type of unit
E - config type
F - plant type
001 - running number for serial number
You would only need
...your base search... | rex field=TheField "(?<myYear>\w)(?<myMonth>\w)(?<myDay>\w)(?<myUnitType>\w)(?<myConfigType>\w)(?<myPlantType>\w)(?<myOtherNumber>\d+)"
Where "TheField" is the field name where the string lives (perhaps _raw), then each word character \w
is parsed out, then at the end it parses "and one or more numbers" with \d+
. Just change your field names around to whatever you want.
A run-anywhere example you can use to confirm.
| gentimes start=3/1/2016 end=3/2/2016 | eval test="ABCDEF001" | rex field=test "(?<myYear>\w)(?<myMonth>\w)(?<myDay>\w)(?<myUnitType>\w)(?<myConfigType>\w)(?<myPlantType>\w)(?<myOtherNumber>\d+)"
Other rexes available upon request - they're fun.
As an alternative thought, you could modify the raw data to explicitly list each field instead of a cryptic serial number. Searching for individual values will be much more pleasurable then. An added bonus would be better human readability, too.
If you can't change it at the source you could sed yourself the change at index time within Splunk.
Thanks rich7177. Please let me try this out. I will provide feedback as to how it goes.
I took the liberty of moving your answer to a comment against my answer.
Yes, feedback on how it goes would be great! You'll want to put your lookups after the rex, of course.
Also, is this the best way to implement the solution? I mentioned lookup tables as I am comfortable.
But if there a better and more efficient solution, please point me to it. I am all for learning and try it out. I will provide feedback on them too.
Thanks.
Also, you can make your lookups automatic.
Put those two together and have your new fields extract themselves, then the lookups run and add fields like "MyUnitTypeName" and you've got yourself some nice, easy to use data - that's the first step to taking over the world. I think.
Awesome. I like the taking over the world part. Let me try these things out.
More efficient and 'faster'? Probably not much.
Better? Yes! Glad you asked!
What you'll want to do is edit one of your $splunkhome/etc/apps/(someappname)/local/props.conf file and add something very much like
[mySourceTypeForThisSource]
EXTRACT-SplitSerialNums = (?<myYear>\w)(?<myMonth>\w)(?<myDay>\w)(?<myUnitType>\w)(?<myConfigType>\w)(?<myPlantType>\w)(?<myOtherNumber>\d+)
With luck(1), you'll then just have those fields be in your output. Poof, choirs of angels will sing!
(1) Lol. I always forget if there's any changes needed to a rex to convert it to a regex in a props. I think only escaping needs fiddled with, and I think there's nothing there needing escaping, so we should be OK.
Sorry about the multi-edit, the evil editor monster ate some characters.
Thanks a lot rich7177. Let me try this out & provide feedback.