Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Rex/RegEx Question

tkwaller
Builder
‎02-07-2014 11:33 AM

Hello

I am trying to pull a text string out of some raw results using a simple regex. Heres my question: I would like to be able to get a stats count on the number of occurrances of this string. i would assume that you would have to put it into another field as it is simple text at the moment and not in a field. How would I do this? I am new to the rex/regex portion of Splunk and could use a little guidance.

Here is the raw data:

log_source=TT.WebService.Internal.OrderIntegration.OrderIntegration - Unable to reserve shopping cart: Attempt to add tickets to the shopping cart resulted in a failure due to tickets no longer being on the exchange.
TT.Logic.TicketsNotFoundException: Exception of type 'TT.Logic.TicketsNotFoundException' was thrown.

I used \bUnable\b.* to get just the sentence "Unable to reserve shopping cart: Attempt to add tickets to the shopping cart resulted in a failure due to tickets no longer being on the exchange."

I tried using "rex field=_raw...." and also creating a field named error like "rex field=error mode=sed" but am still not doing something correctly.

Any advice would be appreciated, thank you!

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎02-07-2014 12:12 PM

Try this:

search |rex ".*(?P<UnableCart>unable.*)" |table UnableCart

View solution in original post

Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 12:50 PM

In order to count events containing a certain string, try something like this:

index=foo sourcetype=bar "a certain string" | stats count
0 Karma
Reply
Solved! Jump to solution

tkwaller
Builder
‎02-07-2014 12:48 PM

I am trying to count the number of events that contain this string

0 Karma
Reply
Solved! Jump to solution

martin_mueller
SplunkTrust
SplunkTrust
‎02-07-2014 12:12 PM

Are you trying to count the number of events that contain a certain string, or are you trying to count the number of times a certain string appears in one event?

0 Karma
Reply
Solved! Jump to solution
Solution

lukejadamec
Super Champion
‎02-07-2014 12:12 PM

Try this:

search |rex ".*(?P<UnableCart>unable.*)" |table UnableCart

Reply
Solved! Jump to solution

tkwaller
Builder
‎02-07-2014 12:53 PM

Getting closer. I think I can move forward from here through trial and error. Thanks so much for the guidance

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

&#x1f5e3; You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...