Splunk Search
Highlighted

How to search for three different actions: Browse, View, and Download?

Communicator

Hi guys,

First off I'd like to apologize for the lopsided question as I am kinda unsure of what I was asked to do! Alright, so Im going to post some logs and I need help from you guys to pull out some info from them. I need to pull out the bold text for all three logs, and was wondering if it was possible to put all of it into one search.

I am trying to get EmployeeDocumentsServicesImp.getDocument() also with the Elapsed time.

Tags (1)
0 Karma
Highlighted

Re: How to search for three different actions: Browse, View, and Download?

SplunkTrust
SplunkTrust

This should work:

<search that finds all 3 logs> | rex "(?P<service>EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?)\(.* Elapsed time:\s+-\s\[(?P<elapsedTime>[\d\.]+)\]" | table service elapsedTime
---
If this reply helps you, an upvote would be appreciated.

View solution in original post

Highlighted

Re: How to search for three different actions: Browse, View, and Download?

Communicator

Hi Rich and thanks for your anwser. I tried to execute that search and got back an error message. The message is as follows:

Error in 'search' command: Unable to parse the search: Comparator '<' has an invalid term on the left hand side.

0 Karma
Highlighted

Re: How to search for three different actions: Browse, View, and Download?

SplunkTrust
SplunkTrust

The first part of the search is a placeholder. Since only you know how your data is stored, you need to fill in the <search that finds...> part.

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to search for three different actions: Browse, View, and Download?

Communicator

So I tried to do as you said and this is my search :

index=Doccloud_main sourcetype="doccloud-dit_sb" | rex "(?P&lt;service&gt;EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?)\(.* Elapsed time:\s+-\s\[(?P&lt;elapsedTime&gt;[\d\.]+)\]" | table service elapsedTime

It works, but it only disp;lays getDocument and getDocument PDF in a weird format. I was wondering if i could convert this data to display into a graph as I wanted to include it into the dashboard. I also want to include a search for EmployeeDocumentServceImp.listDocuments().

0 Karma
Highlighted

Re: How to search for three different actions: Browse, View, and Download?

SplunkTrust
SplunkTrust

To get a graph, replace the table command with chart avg(elapsedTime) by service or timechart values(elapsedTime) by service.
To add the new service, change the rex string to "(?P&lt;service&gt;EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P&lt;elapsedTime&gt;[\d\.]+)\]".

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to search for three different actions: Browse, View, and Download?

Communicator

So I tried entering in the same which you just told me about, and got the same results as before. The results in a table going from 1-53 and not displaying anything after that. The search is :

index=doccloud_main sourcetype="doccloud-dit_sb" | rex "(?P&lt;service&gt;EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P&lt;elapsedTime&gt;[\d\.]+)\]"| chart avg(elapsedTime) by service
0 Karma
Highlighted

Re: How to search for three different actions: Browse, View, and Download?

SplunkTrust
SplunkTrust

Have you clicked the Visualizations tab?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Highlighted

Re: How to search for three different actions: Browse, View, and Download?

Communicator

So it is displaying getDocument and getDocument PDF, but it is not listing listDocuments. Here is the code:

index=doccloud_main sourcetype="doccloud-dit_sb" | rex "(?P&lt;service&gt;EmployeeDocumentServicesImp[l]?\.getDocument(?:PDF)?|EmployeeDocumentServicesImp\.listDocuments)\(.* Elapsed time:\s+-\s\[(?P&lt;elapsedTime&gt;[\d\.]+)\]" | timechart values(elapsedTime) by service
0 Karma
Highlighted

Re: How to search for three different actions: Browse, View, and Download?

SplunkTrust
SplunkTrust

Carefully compare the service names in your data with the names in the regex. Perhaps you need to change Imp\.listDocuments to Imp[l]?\.listDocuments.

---
If this reply helps you, an upvote would be appreciated.