Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In field extraction, how to do the matching between them and increment the result?

omarka
New Member
‎07-03-2018 06:50 AM

Hi everyone,

I'm looking to have this result:
alt text

For that I have 2 lines in my file:

  • Question: Service + IdTransaction
  • Response: Status + IdTransaction

Until now i can extract the different name of service and different codes but i don't know how to do the matching between them and to increment the result. 

| rex "(?<Service>CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)" 
| rex field=_raw "Tlv Dico : (?<new>.{22}.{27})?"
| rex field=new "2004(?<Status>.{5})?"
| stats count(TransactionId) by Service , Status
Preview file
1 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎07-03-2018 08:15 AM

You are getting no results because there is no event with both a Status and a TransactionId. You need to roll together your two events into a single event per TransactionId.

Try this... 

 your base search
 | rex "(?<Service>CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)" 
 | rex field=_raw "Tlv Dico : (?<new>.{22}.{27})?"
 | rex field=new "2004(?<Status>.{5})?"
 | stats values(Service) as Service values(Status) as Status by TransactionId
 | stats count(TransactionId) by Service , Status

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎07-03-2018 08:15 AM

You are getting no results because there is no event with both a Status and a TransactionId. You need to roll together your two events into a single event per TransactionId.

Try this... 

 your base search
 | rex "(?<Service>CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)" 
 | rex field=_raw "Tlv Dico : (?<new>.{22}.{27})?"
 | rex field=new "2004(?<Status>.{5})?"
 | stats values(Service) as Service values(Status) as Status by TransactionId
 | stats count(TransactionId) by Service , Status
Reply
Solved! Jump to solution

omarka
New Member
‎07-03-2018 08:44 AM

Thank you @DalJeanis for your answer.
However, i want to know if it's possible to switch or transpose this values by having something like that:

Service 00000 02040 06570
CONSULT 1650 150 15

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-03-2018 10:17 AM

@omarka -

Assuming your columns are values of Status, then you are looking for the chart command. Replace the final stats with... 

| chart count(TransactionId) by Service, Status

More detail on how to use it here -

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Chart

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-03-2018 07:29 AM

@omarka if you can add some masked/anonymized sample events, it would be easier for the community members to help you with regex as it would be strictly dependent on your data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-03-2018 07:12 AM

Can you explain how the output of that search query you have so far does not match with what you want?

0 Karma
Reply
Solved! Jump to solution

omarka
New Member
‎07-03-2018 07:15 AM

Well, it tells me: No results found.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-03-2018 07:18 AM

Are you running just that specific search? Because I would expect there needs to be something before that, to actually search some data (ie index=foo sourcetype=bar).

Also: that TransactionId field, does that exist and contain data?

0 Karma
Reply
Solved! Jump to solution

omarka
New Member
‎07-03-2018 07:30 AM

No i'm running this search : (host=g5d66999 OR g5d66956)
Logger=srvca TLV | rex "(?CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)"
| rex field=_raw "Tlv Dico : (?.{22}.{27})?"
| rex field=new "2004(?.{5})?"
| stats count(TransactionId) by Service , Status
And yes TransactionID contains data

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-03-2018 07:32 AM

TransactionID or TransactionId? Field names are case sensitive!

0 Karma
Reply
Solved! Jump to solution

omarka
New Member
‎07-03-2018 07:39 AM

Yes it is exactly TransactionId

0 Karma
Reply
Solved! Jump to solution

omarka
New Member
‎07-03-2018 08:05 AM

I'll explain how it works and what i want.
I have 2 lines containing each one "TransactionId" & "Service" and "TransactionId" & "Status", so when we find

  • 401 as TransactionId and CONSULT as Service
  • 401 as TransactionId and 000000 as Status

So (for example) this is the first line in results, if we find

  • 453 as TransactionId and CONSULT as Service
  • 453 as TransactionId and 000000 as Status

It will increment the first line as shown in the table at the top and so on ...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...