Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

In field extraction, how to do the matching between them and increment the result?

omarka
New Member
‎07-03-2018 06:50 AM

Hi everyone,

I'm looking to have this result:
alt text

For that I have 2 lines in my file:

  • Question: Service + IdTransaction
  • Response: Status + IdTransaction

Until now i can extract the different name of service and different codes but i don't know how to do the matching between them and to increment the result. 

| rex "(?<Service>CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)" 
| rex field=_raw "Tlv Dico : (?<new>.{22}.{27})?"
| rex field=new "2004(?<Status>.{5})?"
| stats count(TransactionId) by Service , Status
Preview file
11 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

DalJeanis
Legend
‎07-03-2018 08:15 AM

You are getting no results because there is no event with both a Status and a TransactionId. You need to roll together your two events into a single event per TransactionId.

Try this... 

 your base search
 | rex "(?<Service>CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)" 
 | rex field=_raw "Tlv Dico : (?<new>.{22}.{27})?"
 | rex field=new "2004(?<Status>.{5})?"
 | stats values(Service) as Service values(Status) as Status by TransactionId
 | stats count(TransactionId) by Service , Status

View solution in original post

Reply
Solved! Jump to solution
Solution

DalJeanis
Legend
‎07-03-2018 08:15 AM

You are getting no results because there is no event with both a Status and a TransactionId. You need to roll together your two events into a single event per TransactionId.

Try this... 

 your base search
 | rex "(?<Service>CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)" 
 | rex field=_raw "Tlv Dico : (?<new>.{22}.{27})?"
 | rex field=new "2004(?<Status>.{5})?"
 | stats values(Service) as Service values(Status) as Status by TransactionId
 | stats count(TransactionId) by Service , Status
Reply
Solved! Jump to solution

omarka
New Member
‎07-03-2018 08:44 AM

Thank you @DalJeanis for your answer.
However, i want to know if it's possible to switch or transpose this values by having something like that:

Service 00000 02040 06570
CONSULT 1650 150 15

0 Karma
Reply
Solved! Jump to solution

DalJeanis
Legend
‎07-03-2018 10:17 AM

@omarka -

Assuming your columns are values of Status, then you are looking for the chart command. Replace the final stats with... 

| chart count(TransactionId) by Service, Status

More detail on how to use it here -

http://docs.splunk.com/Documentation/Splunk/7.1.1/SearchReference/Chart

0 Karma
Reply
Solved! Jump to solution

niketn
Legend
‎07-03-2018 07:29 AM

@omarka if you can add some masked/anonymized sample events, it would be easier for the community members to help you with regex as it would be strictly dependent on your data.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-03-2018 07:12 AM

Can you explain how the output of that search query you have so far does not match with what you want?

0 Karma
Reply
Solved! Jump to solution

omarka
New Member
‎07-03-2018 07:15 AM

Well, it tells me: No results found.

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-03-2018 07:18 AM

Are you running just that specific search? Because I would expect there needs to be something before that, to actually search some data (ie index=foo sourcetype=bar).

Also: that TransactionId field, does that exist and contain data?

0 Karma
Reply
Solved! Jump to solution

omarka
New Member
‎07-03-2018 07:30 AM

No i'm running this search : (host=g5d66999 OR g5d66956)
Logger=srvca TLV | rex "(?CONSULT|FIN_GB|FIN_RESERVE|FIN_VENDEUR|AUTHENTIF)"
| rex field=_raw "Tlv Dico : (?.{22}.{27})?"
| rex field=new "2004(?.{5})?"
| stats count(TransactionId) by Service , Status
And yes TransactionID contains data

0 Karma
Reply
Solved! Jump to solution

FrankVl
Ultra Champion
‎07-03-2018 07:32 AM

TransactionID or TransactionId? Field names are case sensitive!

0 Karma
Reply
Solved! Jump to solution

omarka
New Member
‎07-03-2018 07:39 AM

Yes it is exactly TransactionId

0 Karma
Reply
Solved! Jump to solution

omarka
New Member
‎07-03-2018 08:05 AM

I'll explain how it works and what i want.
I have 2 lines containing each one "TransactionId" & "Service" and "TransactionId" & "Status", so when we find

  • 401 as TransactionId and CONSULT as Service
  • 401 as TransactionId and 000000 as Status

So (for example) this is the first line in results, if we find

  • 453 as TransactionId and CONSULT as Service
  • 453 as TransactionId and 000000 as Status

It will increment the first line as shown in the table at the top and so on ...

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...