Splunk Search

How to set a custom value if extraction found a match

mnarmada
Path Finder

Hello All,

I have a log file where I am trying to extract one match, and If I find that match I have to put as "File Received" and if I don't find put as "File Not Received".

Here is the sample piece in the log.

19:30:09 O 601323 FILE C:\PELIBIB\STD\EMI\PMGTN901-MA07-MA07AE_2019618.TXT_20190618193001755 sended and deleted

From the above, I am trying to extract only PMGTN901-MA07-MA07AE_2019618 when it is sended and deleted.
If I find the match I have to customize it as mentioned above.

Note: There are a lot of files like this (PMGTN901-MA07-MA07AE_2019618) with sended and deleted and with a different name like POOOD901-ABCD-FTTXPP_2019618, but I have to extract the exact match of PMGTN901-MA07-MA07AE.

I tried in this way, but giving opposite value.

source ="xyz.LOG"  sourcetype="xyz"
| eval file=if(match(_raw, "^FILE\s+C\W+PELIBIB\WSTD\WEMI\W[A-Z]{5}\d{3}\WMA07\W[A-Z]{2}\d{2}[A-Z]{2}\S\d{6,8}$"), "File Received", "File Not Received")

But this is giving me File not received even that file is having that match.

Please help me as I am stuck in the middle.

Many Thanks!!

Regards,
Narmada

0 Karma
1 Solution

jaime_ramirez
Communicator

Hi

Try removing the ^ and $ from the regex:

source ="xyz.LOG" sourcetype="xyz"
| eval file=if(match(_raw, "FILE\s+C\W+PELIBIB\WSTD\WEMI\W[A-Z]{5}\d{3}\WMA07\W[A-Z]{2}\d{2}[A-Z]{2}\S\d{6,8}"), "File Received", "File Not Received")

Cheers!!!

View solution in original post

mnarmada
Path Finder

Hi,

It would be great if at least I get solution for the below:
In my dashboard, whenever my regex match found, it is showing the values and there is no match showing null values as I did stats count by _time.
I want another color instead of showing null.
For example on 27th july there is a match in my log file so, it showing one color column in dashboard and on 28th july I did not receive file so showing null. I want another color in the place is null rather null.

In the source code tried like this but not working. Please help me.

<colorPalette type="expression">if(match(value,"FILE\s+C\W+PELIBIB\WSTD\WEMI\W[A-Z]{5}\d{3}\WMA07\W[A-Z]{2}\d{2}[A-Z]{2}\S\d{6,8}"),"#555555","#D93F3C")</colorPalette>
</format>

Thanks in advance.

0 Karma

jaime_ramirez
Communicator

Hi

Could you provide more info?

Cheers!!!

0 Karma

jaime_ramirez
Communicator

Hi

Try removing the ^ and $ from the regex:

source ="xyz.LOG" sourcetype="xyz"
| eval file=if(match(_raw, "FILE\s+C\W+PELIBIB\WSTD\WEMI\W[A-Z]{5}\d{3}\WMA07\W[A-Z]{2}\d{2}[A-Z]{2}\S\d{6,8}"), "File Received", "File Not Received")

Cheers!!!

mnarmada
Path Finder

Hello,

Thanks For the quick response!!

I have tried the same, removing ^ and $ but now the problem is, it is giving "File Received" count is 1 as only one match is there in the entire file, and "File Not Received" count as 1034 as it is taking other rows which do not match with the rex.
I would like to check only the matched one's in my visualization. Because when I am working on 2 or more files, it is giving issues.
Please help me for the same.

I am checking like below but I feel it is not feasible. Because the time in file is 19:30 SGT but in the visualization it is giving 00:00:00
| eval AVIEXP=if(match(_raw, "FILE\s+C\W+PELIBIB\WSTD\WEMI\W[A-Z]{5}\d{3}\WMA07\W[A-Z]{2}\d{2}[A-Z]{2}\S\d{6,8}"), "File Received", "File Not Received")
| bucket _time
| eval Time = strftime(_time, "%Y-%m-%d %H:%M:%S")
| chart count by AVIEXP Time | where AVIEXP = "File Received"

Thanks,
Narmada

0 Karma

jaime_ramirez
Communicator

If you want to filter only the event containing the match PMGTN901-MA07-MA07AE, you could try using regex command instead.

https://docs.splunk.com/Documentation/Splunk/7.3.0/SearchReference/Regex

Try this:

source ="xyz.LOG" sourcetype="xyz"
| regex _raw="FILE\s+C\W+PELIBIB\WSTD\WEMI\W[A-Z]{5}\d{3}\WMA07\W[A-Z]{2}\d{2}[A-Z]{2}\S\d{6,8}" 
| stats count by _time
| eval AVIEXP=case(count > 0, "File Received")
| appendpipe 
    [ stats count 
    | where count=0
    | eval AVIEXP="File Not Received"]

Hope it helps

0 Karma

mnarmada
Path Finder

Helped in a great way!!

But Small issue. In the statistics tab , it is giving exact time i.e. 19:30:00, but in the visualization tab, it is giving 2:00:00.
could you please tell me what is the reason, do I need to change any default settings?

Thanks,
Narmada

0 Karma

mnarmada
Path Finder

I have changed my default time zone and it is working fine now.
But...
when I use the above query, it is just taking the matched events from the sources but when there is no match in one file/source, it is not giving any value value or custom message or atleast not giving that particular day date and file not received(its custom message). And in the visualization it is giving all day values which matched and when there is no match it is showing null.

For example, this month we have received the file everyday except, 9th july and 15th july. As there is no file received on 9th and 15th, it should give the custom message i.e., file not received in the table but it is showing only File received values.
This is not helpful for the business.

Also in the dashboard it is showing blank but I need a column in the column chart saying file not received.

Please help me with your guidance.

Thanks in Advance!!

0 Karma

woodcock
Esteemed Legend

You should click Accept to close this answer and ask a new one.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...