justgettingstarted

officialsubho · ‎05-17-2019

I have this following string

2019-05-17 11:30:14.262 INFO 13 --- [pool-3-thread-1] com.abcd.efgh.ijk.statuspage.StatusPage : Application[id=00, name='XYZ Service', environment='Production', status='DOWN'

i just need to extract value against the name keyword and use it as a field to run stats against it .
How can i extract the value ? Can someone plz help with the SPL ?

justgettingstarted

Vijeta · ‎05-21-2019

@officialsubho you can use this rex command

 rex field=_raw "name=\'(?<name>[^\']+)\'"

koshyk · ‎05-17-2019

I would have thought, Splunk automatically extracts it?

Anyway, Please find the regex

|makeresults
| eval myraw="2019-05-17 11:30:14.262 INFO 13 --- [pool-3-thread-1] com.abcd.efgh.ijk.statuspage.StatusPage : Application[id=00, name='XYZ Service', environment='Production', status='DOWN'"
| rex field=myraw "name=\'(?<name>[^\']+)\'"
| fields name

In regex101 => https://regex101.com/r/yWXFJ7/1

officialsubho · ‎05-21-2019

Thanks @koshyk , but i am not looking for the regex .
i Just need store the name='XYZ Service' in a separate field , so that i can run counts against it .

i am trying to figure out how many times a particular XYZ service showed down status on the logs .
let me know if that makes sense .

koshyk · ‎05-21-2019

so you want the whole of name='XYZ Service' to be in a separate field?

In the above regex, you will get the field name as "name", but you can change it to whatever it suits you.

|makeresults
 | eval myraw="2019-05-17 11:30:14.262 INFO 13 --- [pool-3-thread-1] com.abcd.efgh.ijk.statuspage.StatusPage : Application[id=00, name='XYZ Service', environment='Production', status='DOWN'"
 | rex field=myraw "name=\'(?<myNewField>[^\']+)\'"
 | stats count by myNewField

..

Regex with eval ?

justgettingstarted

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!