Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Search on this Key Value pair to display PricingInfo / PricingCount

smudge797
Path Finder
‎03-17-2015 03:23 AM

How can i search on this Key Value pair to display PricingInfo / PriceCount

An example log entry may look like the below.

1001=25, 1011=10

Made up of these values:

PricingInfo PricingCount
0000 Contains an int from 0-99
0001 Contains an int from 0-99
0010 Contains an int from 0-99
0011 Contains an int from 0-99
0100 Contains an int from 0-99
0101 Contains an int from 0-99
0110 Contains an int from 0-99
0111 Contains an int from 0-99
1000 Contains an int from 0-99
1001 Contains an int from 0-99
1010 Contains an int from 0-99
1011 Contains an int from 0-99
1100 Contains an int from 0-99
1101 Contains an int from 0-99
1110 Contains an int from 0-99
1111 Contains an int from 0-99

0 Karma
Reply

bjoernjensen
Contributor
‎03-17-2015 04:59 PM

You may get the needed information with something like this:

... | stats count by PricingInfo
0 Karma
Reply

smudge797
Path Finder
‎03-19-2015 07:48 AM

Great thanks!

0 Karma
Reply

smudge797
Path Finder
‎03-18-2015 07:15 AM

But it just looks like this in Splunk 1100=4:

Timestamp=2015-03-18 07:07:31, Level=INFO, EventId=16007, ReqID=bcacbafd-bddb-49d4-8d36-a7445daf0fc6, 1100=4

0 Karma
Reply

bjoernjensen
Contributor
‎03-18-2015 09:19 AM

I think search time field extraction will help you:
http://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Managesearch-timefieldextractions

Two approaches:

1

first extract two fields:

... | rex "(?<PricingInfo>[0-1]{4})=(?<PricingCount>\d{0,1})" | ...

After this you can search like this:

... | PricingInfo="1100" PricingCount="4" | ...

OR

2

extract one field:

... | rex "(?<PricingField>[0-1]{4}=\d{0,1})" | ...

After this you can search like this:

... | PricingField="1100=4" | ...
0 Karma
Reply

tachifelix
Path Finder
‎03-17-2015 03:50 AM

give more detail

0 Karma
Reply

smudge797
Path Finder
‎03-17-2015 06:06 AM

I have some Splunk logging that has a field (key) that represents a bitmask, and a value. There's a fixed number of bitmask combinations as listed in the PricingInfo column above. I need to do some counting of the values and have been unable to do so with the way the field is constructed. We would need to add a field to represent the bitmask values, and a field for the count such as above.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...