Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Issue with Splunk Query Stats not brining in all values

bhartiya008
Explorer
‎02-25-2021 10:01 PM

Hi All,

I have a log which has below lines in it:

"Results":{"Elapsed":"0","Message":"No of Application to Obsolete in Teradata : 4","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":"Total Application Asset in Teradata : 1696","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":"Total Application count from SPAM : 1694","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}
"Results":{"Elapsed":"0","Message":" Application/s to Obsolete in Teradata : [PA00007618, PA00007617, PA00007619, PA00007620]","TraceLevel":"INFO"},"Security":{"Vendor":"CRAB"}}

 

I want the output to have the below fields:
No of Application to Obsolete in Teradata : 4
Total Application Asset in Teradata : 1696
Total Application count from SPAM : 1694
Application/s to Obsolete in Teradata : [PA00007618, PA00007617, PA00007619, PA00007620]

I have built below query but it's only giving me one record :

ExecutionDate Host Total Application count from SPAM : 1694



index=hdt  sourcetype=Teradata_SPAM_logs  | fields -_raw
| where match(_raw, "Host_cdc") and (match(_raw,"Total\sApplication\scount\sfrom\sSPAM\s*") 
OR match(_raw,"Total\sApplication\sAsset\sin\sTeradata\s*") 
OR match(_raw,"No\sof\sApplication\sto\sObsolete\sin\sTeradata\s*") 
OR match(_raw,"List\sof\sApplications\sin\sTeradata\sto\sbe\smarked*") 
)
| rex "(?<Summary>\"Message\":(.*\w+)\s:.*)" 
| rex "(?<Host>\"Host\":(.*\",))" 
| rex "(?<ExecutionDate>\d{4}\-\d{2}\-\d{2})" 
| rex field=Summary mode=sed "s/\"Message\":\"/ /"
| rex field=Summary mode=sed "s/\"TraceLevel.*/ /"
| rex field=Summary mode=sed "s/\".*$//"
| rex field=Host mode=sed "s/\"Channel.*/ /" 
| rex field=Host mode=sed "s/\"Host\":\"/ /" 
| rex field=Host mode=sed "s/\/.*/ /"
| eval Host = replace(Host,"Host_cdc.cdc.CRAB.com", "PRODUCTION") 
| eval Host = replace(Host,"Host_DEV.cdc.CRAB.com", "PROFILING") 
| eval Host = replace(Host,"Host_PP.cdc.CRAB.com", "VALIDATION") 
| stats  values(Summary) as Summary by ExecutionDate, Host
| where isnotnull(Summary)

Can anyone tell me where is the problem here?

Labels (3)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-25-2021 11:23 PM

Try these rex

| rex "\"Message\":\"(?<Summary>[^\"]+)" 
| rex "\"Host\":\"(?<Host>[^\"]+)" 
| rex "(?<ExecutionDate>\d{4}\-\d{2}\-\d{2})"
0 Karma
Reply

bhartiya008
Explorer
‎02-25-2021 11:40 PM

When I run the part till match ..I am able to see all the 4 rows in the event data.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-25-2021 11:53 PM

Are all the examples from the production host, or do you have a mixture?

0 Karma
Reply

bhartiya008
Explorer
‎02-25-2021 11:57 PM

We have a mixture there and I am picking only for production.
Even if I remove that where clause for the host I am still getting one row which is very strange.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-25-2021 11:50 PM

The final line of your example doesn't match the where clause, but that doesn't explain why only one does.

0 Karma
Reply

bhartiya008
Explorer
‎02-25-2021 11:33 PM

@ITWhisperer -- tried the below , but still getting the same one row.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...