Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Serching Development Log Files
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I am brand new to Splunk. I just finished setting up a Ubuntu server for indexing and have got all my forwarders working just fine. When it came to indexing a log file from a development test I get stuck on how to search for what I want. For example the log files look something like this:
Test1: Total: 3 Succeeded: 3 Failed: 0
Test2: Total: 5 Succeeded: 4 Failed: 1
Test3: Total: 3 Succeeded: 3 Failed: 0
I would like to be able to know how many time the whole deployment test succeeded. If it failed which test it failed on, and graph the results. I have had difficulties trying to get the numbers after Total, Succeeded, and Failed in to integers I have tried tonumber and I think it has worked. But after that I am not sure how to get it to reference the Test number it goes with
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a search time field extraction using the rex command.You could also declare this in props.conf using EXTRACT.
Test1: Total: 3 Succeeded: 3 Failed: 0
Test2: Total: 5 Succeeded: 4 Failed: 1
Test3: Total: 3 Succeeded: 3 Failed: 0
... | rex field=_raw "(?<test_id>\w+):\s\w+:\s(?<total_count>\d+)\s\w+:\s(?<success_count>\d+)\s\w+:\s(?<fail_count>\d+)"
Then, with the fields extracted, there are many different potential searches , here are a couple to get you started.
"how many time the whole deployment test succeeded"
... | stats sum(total_count) as "Total Tests" sum(success_count) as "Succeeded" sum(fail_count) as "Failed"
"If it failed which test it failed on"
...| where fail_count > 0 | stats sum(fail_count) as "Failed Tests" by test_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here is a search time field extraction using the rex command.You could also declare this in props.conf using EXTRACT.
Test1: Total: 3 Succeeded: 3 Failed: 0
Test2: Total: 5 Succeeded: 4 Failed: 1
Test3: Total: 3 Succeeded: 3 Failed: 0
... | rex field=_raw "(?<test_id>\w+):\s\w+:\s(?<total_count>\d+)\s\w+:\s(?<success_count>\d+)\s\w+:\s(?<fail_count>\d+)"
Then, with the fields extracted, there are many different potential searches , here are a couple to get you started.
"how many time the whole deployment test succeeded"
... | stats sum(total_count) as "Total Tests" sum(success_count) as "Succeeded" sum(fail_count) as "Failed"
"If it failed which test it failed on"
...| where fail_count > 0 | stats sum(fail_count) as "Failed Tests" by test_id
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Modernize your Splunk Apps – Introducing Python 3.13 in Splunk
Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...
SplunkTrust Application Period is Officially OPEN!
