Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to search results and present as a table of se...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello All,
The log has empty space before and after equal with semicolon separation. I’m unable to get the table request status like index="gd" RequestStatus | table RequestStatus, _time
Would you please advise if anyone have suggestions
Log sample
{"timestamp":"2022-11-02 17:01:21,421+0000","level":"INFO","location":"request_process:171","message":"request_id = 5ac3565f-d964-31cd-90b1-e8b7b208e7df; RequestStatus = Completed; RequestID = 5ac3565f-d9a64-31cd-9021-e8b7b208e7df--70ivkG0Td8OBpvWk; S3SourceKey = 1049x7555.xml ; "function_request_id":"b61aa34-f22b-53bc-957e-142456b9b7a5","xray_id":"1-6482a25d-78459fbe07213ee14x4386bd"}
RequestStatus = Received
RequestStatus = Completed
RequestStatus = Error
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The RequestID tag is not consistent - sometimes it uses 'D' and sometimes 'd'. This query should handle that.
index="gd" RequestStatus RequestID
| rex "RequestStatus = (?<RequestStatus>\S+)"
| rex "RequestI[Dd] = (?<RequestID>\S+)"
| table RequestID, RequestStatus, _timeIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's the most straightforward way (IMO). It uses the rex command to extract the RequestStatus field.
index="gd" RequestStatus
| rex "RequestStatus = (?<RequestStatus>\S+)"
| table RequestStatus, _time
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for quick response and the solutions helped us.
Somehow, I’m not able to get Received request Id in search (sample log). Also is there any way to disable as report like below?
RequestStatus status
message: css_request_id = abceesxs-e8cf-383a-81d6-78185430c323; RequestStatus = Received; EnvName = tst111; RequestId = abceesxs-e8cf-383a-81d6-78185430c323--HO1FQtsdshNVf80E; bucket = testbucket; key = DATA.xml; attempts = 1;
Completed status
message: css_request_id = abceesxs-e8cf-383a-81d6-78185430c323; RequestStatus = Completed; RequestID = abceesxs-e8cf-383a-81d6-78185430c323--HO1FQtsdshNVf80E; responseStatusCode = True; platformBuckets = ['css-lpue1-platform-data-application', 'css-lpue2-platform-data-application']; key = DATA.xml; bucket = testbucket; sourceKey = 10497687_DATA.xml ;
service: gwy-Inbound
Search index
index="gd" RequestStatus RequestID | rex "RequestStatus = (?<RequestStatus>\S+)" | rex "RequestID = ?[\S+](?<RequestID>[\S+]*)" | table RequestID, RequestStatus, _time
Report like
RequestID, RequestStatus , _time
-------------------------------------------------
11111111 Received,Completed 2022-11-02 17:01:21
11111112 Received,Completed 2022-11-02 17:01:21
11111113 Received,Completed 2022-11-02 17:01:21
11111114 Received,Error 2022-11-02 17:01:21
11111115 Received,Completed 2022-11-02 17:01:21
Thank you,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for all your help. The search is working fine now. Is it possible to display as report like ? Can you please advise
Search index index="mw_ib_prf507" RequestStatus RequestID
| rex "RequestStatus = (?<RequestStatus>\S+)"
| rex "RequestI[Dd] = (?<RequestID>\S+)"
| table RequestID, RequestStatus
Request Id RequestStatus RequestStatusCount
11111111 Received,Completed 2
11111112 Received,Completed 2
11111113 Received,Completed 2
11111114 Received,Error 2
11111115 Received,Completed 2
11111115 Received 1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm not sure how to do that. Sorry.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You have the right idea, but the RequestID regex needs improvement.
index="gd" RequestStatus RequestID
| rex "RequestStatus = (?<RequestStatus>\S+)"
| rex "RequestID = (?<RequestID>\S+)"
| table RequestID, RequestStatus, _timeIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Richgalloway,
Thank you for quick response. somehow, I'm not getting request ID for "RequestStatus = Received; EnvName = tst111; RequestId = abceesxs-e8cf-383a-81d6-78185430c323--HO1FQtsdshNVf80E;" .. do i need regex to excluded "EnvName = tst111;"?
Thanks,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The RequestID tag is not consistent - sometimes it uses 'D' and sometimes 'd'. This query should handle that.
index="gd" RequestStatus RequestID
| rex "RequestStatus = (?<RequestStatus>\S+)"
| rex "RequestI[Dd] = (?<RequestID>\S+)"
| table RequestID, RequestStatus, _timeIf this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for all your help, it's is working as expected
Observe and Secure All Apps with Splunk
Splunk Decoded: Business Transactions vs Business IQ
Fastest way to demo Observability
