Solved: Regex, Split into fields and timechart

borisalves · ‎08-02-2011

I have several of this kind:

8/2/11 2:20:57.000 PM  2011-08-02 14:20:57 Err: DeliveryPolicy:: _deliverRequest: failed to route request[42] for [TestRPC.1@G2MP2:getTestManagementURL] from peer 810607[ept] [(2008) "ECError::eNotFound"]
host=g2megw22.las.expertcity.com   Options|  sourcetype=egw   Options|  source=/opt/ec/egw/logs/egw_g2m_live_g2megw22.las.expertcity.com-1-20110802.log   Options

I need to Extract :

[TestRPC.1@G2MP2:getTestManagementURL]

Than Split into a fields:

Service=TestRPC.1@G2MP2
Method=getTestManagementURL

I will present this as a histogram with timechart.

I have not been sucessful so far with rex
thanks

borisalves · ‎03-04-2013

Here is the final result:

"failed to route request" sourcetype="egw" | rex field=_raw "for \[(?<service>.?):(?<method>.?)\]" | timechart span=1d count by service and then "failed to route request" sourcetype="egw" | rex field=_raw "for \[(?<service>.?):(?<method>.?)\]" | timechart span=1d count by method

I will try to combine both graphs.

View solution in original post

borisalves · ‎03-04-2013

Here is the final result:

"failed to route request" sourcetype="egw" | rex field=_raw "for \[(?<service>.?):(?<method>.?)\]" | timechart span=1d count by service and then "failed to route request" sourcetype="egw" | rex field=_raw "for \[(?<service>.?):(?<method>.?)\]" | timechart span=1d count by method

I will try to combine both graphs.

Regex, Split into fields and timechart

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Unlocking Unified Insights: New Gigamon Federated Search App for Splunk

GA: New Data Management App in Splunk Platform

Announcing Modern Navigation: A New Era of Splunk User Experience

Join the Conversation