Hello Experts,
I am trying to read the text from the last square bracket (which is TestModelCompany,en_US)
21:11:31,367 INFO [TestBenuLogger] [155.56.208.68] [716057] [-] [TestModelCompany,en_US] No 1 XX_TimeStep="10" XX_TimeQuery="10" XX_HTTPSession="1398708550-1911P0" XX_QuerySession="null" XX_TimeStamp="2020-02-09T20:11:31.358Z-PY" XX_Company="Model Company" XX_QueryMode="STANDARD" XX_Agent="Model"
Starting Model API :
Mode : Standard
Query Operation : QUERY
Company : Model Company
New Snapshot Calculation
I wrote a regular expression to extract the content from last bracket,
(?<=\[)[^\[\]]*(?=][^\[\]]+$)
It works well. However I am unable to integrate it in the splunk,
This is my existing splunk query,
sourcetype=text XX_Company="*" last_modified_on index="*_test_application" | rex field=_raw "last_modified_on.*?to_datetime\('(?<lmo_date>.*?):\d\d\w\'" | eval lmo_date_converted=strptime(lmo_date,"%Y-%m-%dT%H:%M") | eval daysDiff=(_time-lmo_date_converted)/86400 | rex field=_raw "(?<name><=\[)[^\[\]]*(?=][^\[\]]+$)" | where daysDiff > 90 | stats avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On" by XX_Company XX_Mode | sort -"Last Modified On averege days in past"
This is a working splunk query. With this, I would like to display the content from the last bracket as a column. Could you guide?
Give this a try
sourcetype=text XX_Company="*" last_modified_on index="*_test_application" | rex field=_raw "last_modified_on.*?to_datetime\('(?<lmo_date>.*?):\d\d\w\'" | eval lmo_date_converted=strptime(lmo_date,"%Y-%m-%dT%H:%M") | eval daysDiff=(_time-lmo_date_converted)/86400 | where daysDiff > 90 | rex field=_raw "^([^\[]+\[){5}(?<name>[^\]]+)" | stats avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On" by XX_Company XX_Mode name | sort -"Last Modified On averege days in past"
any idea?
Is the log format constant? If yes, the name you're trying to extract is 5th [...]
element. Extract that base on number and add name
to your stats-by clause.
| stats values(name) as name avg(daysDiff) as "Last Modified On averege days in past", max(daysDiff) as "Max Value Of Last Modified On" by XX_Company XX_Mode
I fix stats
.
I just need to add a new column with my regex. The stats is already working well
The regular expression to extract the content from last bracket is this,
(?<=[)[^[]]*(?=][^[]]+$)
How to add this in rex & show it as a column with existing query?
Do you try my last answer? name
value is appeared.
try adjusting your second rex: rex field=_raw "(?<name>(?<=\[)[^\[\]]*)(?=][^\[\]]+$)"
what is wrong in this?
|rex field=_raw "\[(?<name>.*?\,.*?)\]"
simply.
ok.. how to display the variable "name" as column in statistics? I would like to test your rex field=_raw "[(?.?\,.?)]"