Hi when i searched with the below query
index=casm_prod sourcetype=smtrace ........REGULAR EXP.....................
Please help me to right regular expression for finding the application value app=Center realm
By default it is not showing exanmple index=casm_prod sourcetype=smtrace app=Center realm
so we need to right regular expression to show the result
kindly help on it
moiezuddin, I am not sure I'm interpreting the request, but I see two possibilities.
1) "Center realm"
index=casm_prod sourcetype=smtrace "Center realm"
instead of index=casm_prod sourcetype=smtrace app="Center realm"
)But I don't think that's what you are after. I think instead, you want:
2) app="Center realm"
I think you are trying to "define" app to be "center realm" when it's like the second set of logs. For this, you'll want to create a field extraction. You give a line format like so: [04/08/2015][06:13:13.893][498011056][s46597300/r12][Center realm]...
. Now, I'm no wizard, but you could brute force something like creating a field out of the 4th set of "stuff" in square brackets (starts at index 0, not 1, hence 4th, not 5th). There are regex ways to do it, too.
index=casm_prod sourcetype=smtrace
| makemv tokenizer="\[(.*?)\]" _raw
| eval app=mvindex(mystring,4)
Now, I'm not sure how that work given your other search results, but if it's like most things in Splunk the above commands will ignore lines that don't fit the [stuff1][stuff2],... format of these lines. I'm also not positive I have it all right, you may need the 3rd, 5th, or some other field out of that.
That should let "app=blah" work fine when it's in the url string (where splunk already knows this field) and when the line matches the format of the set you gave above, then it should add app="Center realm" as a field.
Give that a try and see how it goes.
moiezuddin, I am not sure I'm interpreting the request, but I see two possibilities.
1) "Center realm"
index=casm_prod sourcetype=smtrace "Center realm"
instead of index=casm_prod sourcetype=smtrace app="Center realm"
)But I don't think that's what you are after. I think instead, you want:
2) app="Center realm"
I think you are trying to "define" app to be "center realm" when it's like the second set of logs. For this, you'll want to create a field extraction. You give a line format like so: [04/08/2015][06:13:13.893][498011056][s46597300/r12][Center realm]...
. Now, I'm no wizard, but you could brute force something like creating a field out of the 4th set of "stuff" in square brackets (starts at index 0, not 1, hence 4th, not 5th). There are regex ways to do it, too.
index=casm_prod sourcetype=smtrace
| makemv tokenizer="\[(.*?)\]" _raw
| eval app=mvindex(mystring,4)
Now, I'm not sure how that work given your other search results, but if it's like most things in Splunk the above commands will ignore lines that don't fit the [stuff1][stuff2],... format of these lines. I'm also not positive I have it all right, you may need the 3rd, 5th, or some other field out of that.
That should let "app=blah" work fine when it's in the url string (where splunk already knows this field) and when the line matches the format of the set you gave above, then it should add app="Center realm" as a field.
Give that a try and see how it goes.
By the way, if you want to use the other values, I'd use a rex probably. I'm making it up, but if you wanted to break on square brackets, something like...
index=casm_prod sourcetype=smtrace | rex "\[(?<mydate>[^]]+)\]\[(?<mytime>[^]]+)\]\[(?<somefield1>[^]]+)\]\[(?<somefield2>[^]]+)\]\[(?<app>[^]]+)\]"
That you can extend it by copying/pasting each part and renaming the field. \[(?[^]]+)\]
is one piece. 🙂
I think the inline version of the code (the little piece) ate my angled brackets and what was inside it (right after the question mark). You can probably figure it out. If you have specific problems, ask again with a few sample lines and what does/is and does not/is not working.
thanks rich, for your brief explanation.
i got the result with the below search query
index=casm_prod sourcetype=smtrace "Center realm" | bucket _time span=1m |stats count(sso_id) as eventcount by _time, sso_id
thanks alot
to make sure that app=center realm in your data run this search : index=casm_prod sourcetype=smtrace |search "Center realm"
then post a sample event of the result
Please post some sample data.