Issue with Splunk Query Stats not brining in all v...

bhartiya008 · ‎02-25-2021

Hi All,

I have a log which has below lines in it:

"Results":{"Elapsed":"0","Message":"No of Application to Obsolete in Teradata : 4","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":"Total Application Asset in Teradata : 1696","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":"Total Application count from SPAM : 1694","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":" Application/s to Obsolete in Teradata : [PA00007618, PA00007617, PA00007619, PA00007620]","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}

I want the output to have the below fields:
No of Application to Obsolete in Teradata : 4
Total Application Asset in Teradata : 1696
Total Application count from SPAM : 1694
Application/s to Obsolete in Teradata : [PA00007618, PA00007617, PA00007619, PA00007620]

I have built below query but it's only giving me one record :

ExecutionDate Host Total Application count from SPAM : 1694

index=hdt  sourcetype=Teradata_SPAM_logs  | fields -_raw
| where match(_raw, "Host_cdc") and (match(_raw,"Total\sApplication\scount\sfrom\sSPAM\s*") 
OR match(_raw,"Total\sApplication\sAsset\sin\sTeradata\s*") 
OR match(_raw,"No\sof\sApplication\sto\sObsolete\sin\sTeradata\s*") 
OR match(_raw,"List\sof\sApplications\sin\sTeradata\sto\sbe\smarked*") 
)
| rex "(?<Summary>\"Message\":(.*\w+)\s:.*)" 
| rex "(?<Host>\"Host\":(.*\",))" 
| rex "(?<ExecutionDate>\d{4}\-\d{2}\-\d{2})" 
| rex field=Summary mode=sed "s/\"Message\":\"/ /"
| rex field=Summary mode=sed "s/\"TraceLevel.*/ /"
| rex field=Summary mode=sed "s/\".*$//"
| rex field=Host mode=sed "s/\"Channel.*/ /" 
| rex field=Host mode=sed "s/\"Host\":\"/ /" 
| rex field=Host mode=sed "s/\/.*/ /"
| eval Host = replace(Host,"Host_cdc.cdc.CRAB.com", "PRODUCTION") 
| eval Host = replace(Host,"Host_DEV.cdc.CRAB.com", "PROFILING") 
| eval Host = replace(Host,"Host_PP.cdc.CRAB.com", "VALIDATION") 
| stats  values(Summary) as Summary by ExecutionDate, Host
| where isnotnull(Summary)

Can anyone tell me where is the problem here?

ITWhisperer · ‎02-25-2021

Try these rex

| rex "\"Message\":\"(?<Summary>[^\"]+)" 
| rex "\"Host\":\"(?<Host>[^\"]+)" 
| rex "(?<ExecutionDate>\d{4}\-\d{2}\-\d{2})"

bhartiya008 · ‎02-25-2021

When I run the part till match ..I am able to see all the 4 rows in the event data.

ITWhisperer · ‎02-25-2021

Are all the examples from the production host, or do you have a mixture?

bhartiya008 · ‎02-25-2021

We have a mixture there and I am picking only for production.
Even if I remove that where clause for the host I am still getting one row which is very strange.

ITWhisperer · ‎02-25-2021

The final line of your example doesn't match the where clause, but that doesn't explain why only one does.

bhartiya008 · ‎02-25-2021

@ITWhisperer -- tried the below , but still getting the same one row.

Issue with Splunk Query Stats not brining in all values

field extraction

rex

stats

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Automating Threat Operations and Threat Hunting with Recorded Future

Keep the Learning Going with the New Best of .conf Hub

Splunk Community Badges!

Join the Conversation