Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Rex query
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harishnpandey
Explorer
07-18-2017
01:57 PM
For below input I tried search query as
index=myindex "Notification"|rex "(MQ) (?\d+) = (?\w+)"|stats count(Notification)
However, its not working says "no result found". The moment I take off ==> stats count(Notification)
it shows values
Input:
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = EMAIL
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = SMS
[7/18/17 11:21:36:434 EDT] 00004b1d SystemOut O Notification Type (MQ) = VOICE
Output
Notification Type TypeCode
MQ EMAIL
MQ SMS
MQ VOICE
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
07-18-2017
02:22 PM
Okay, reading what I can read, i don't see why it would succeed.
Your rex is looking for a decimal number after (MQ) and before the =, which is not in your data.
Something like this should pull the two fields...
| rex "Notification Type \((?<NotifType>[^\)]*)\) = (?<TypeCode>\w+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
DalJeanis
Legend
07-18-2017
02:22 PM
Okay, reading what I can read, i don't see why it would succeed.
Your rex is looking for a decimal number after (MQ) and before the =, which is not in your data.
Something like this should pull the two fields...
| rex "Notification Type \((?<NotifType>[^\)]*)\) = (?<TypeCode>\w+)"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
harishnpandey
Explorer
07-19-2017
04:01 AM
Thank you Jean. I figured out my mistake with your help 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
07-18-2017
02:07 PM
You query is truncated. Please edit the question to add the query again and ensure that you select the query and click on button "101010" OR press Ctrl+K to format the code (to retains all formatting/content). Do the same for your raw data and output
Related Topics
Get Updates on the Splunk Community!
The Payment Operations Wake-Up Call: Why Financial Institutions Can't Afford ...
The same scenario plays out across financial institutions daily. A payment system fails at 11:30 AM on a busy ...
Make Your Case: A Ready-to-Send Letter for Getting Approval to Attend .conf25
Hello Splunkers,
Want to attend .conf25 in Boston this year but not sure how to convince your manager? We've ...
Community Spotlight: A Splunk Expert's Journey
In the world of data analytics, some journeys leave a lasting impact not only on the individual but on the ...
